Tuesday, June 23, 2009

The Problem with Automated Defenses

Automation is often cited as a way to "do more with less." The theory is that if you can automate aspects of security, then you can free resources. This is true up to a point. The problem with automation is this:

Automated defenses are the easiest for an intruder to penetrate, because the intruder can repeatedly and reliably test attacks until he determines they will be successfully and potentially undetectable.

I hope no one is shocked by this. In a previous life I worked in a lab that tested intrusion detection products. Our tests were successful when an attack passed by the detection system with as little fuss as possible.

That's not just an indictment of "IDS"; that approach works for any defensive technology you can buy or deploy off-the-shelf, from anti-malware to host IPS to anything that impedes an intruder's progress. Customization and localization helps make automation more effective, but that tends to cost resources. So, automation by itself isn't bad, but mass-produced automation can provide a false sense of security to a certain point.

In tight economic conditions there is a strong managerial preference for the so-called self-defending network, which ends up being a self-defeating network for the reason in bold.

A truly mature incident detection and response operation exists because the enterprise is operating a defensible network architecture, and someone has to detect and respond to the failures that happen because prevention eventually fails. CIRTs are ultimately exception handlers that deal with everything that falls through the cracks. The problem happens when the cracks are the size of the Grand Canyon, so the CIRT deals with intrusions that should have been stopped by good IT and security practices.


Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

5 comments:

Keydet89 said...

Automagical response is not a good thing, per se. There are still organizations out there running outdated OSs (NT 4.0 SP 4) and outdated applications, because some developer told them that application code would break if the base OS was updated. Automagical response will break something that will end up being business critical...I don't say that because I think it will happen...I say it because I've seen it happen.

Alec Waters said...

Automated defences like anti-virus (whilst clearly suffering from the shortcomings of any signature-based technology) will also occasionally lie to you and tell you it's saved you when actually it hasn't. NSM to the rescue: http://wirewatcher.wordpress.com/2009/06/19/prevention-eventually-fails-part-one/

Richard Bejtlich said...

Hey Alec, great blog!

Alec Waters said...

Thanks :)

Anonymous said...

or you could take a more heavy handed approach like Sentinel IPS does and block attackers for one week at a time. That will kill their patience!