Value of Integrated Vulnerability Management and Intrusion Prevention Systems

Date:   Thursday , April 02, 2009

Good security must be transparent, invisible, and should not hamper the core business. Most organizations approach the intrusion prevention systems as a means to stop hacking and block viruses and worms. Unfortunately, such solutions just can’t do that 100 percent of the time. It is practically not possible to be able to stop everything at the network entry and egress points. At the same time, today’s IT landscape in the modern enterprise consists of a myriad range of applications, both well-known and custom, devices procured from a varied range of vendors, susceptible guest or third party locations, and desktop and end user focused attacks.

The attack mechanisms have shifted from being simple or poorly designed to extremely stealthy, professionally crafted, and targeted malware payloads. As an end result, one requires an enterprise-wide security posture that maintains acceptable risk tolerance levels, professes operational processes that address the entire IT landscape as a whole, and leverages the appropriate technology platforms to reinforce these processes. Among the vital processes required is a vulnerability management program. This helps an organization reduce its exposure to adversaries, both from within and without. This is commonly known as ‘attack surface reduction’. (A system’s attack surface is the set of ways in which an adversary can enter the system and potentially cause damage. Therefore, the larger the attack surface, the more insecure the system.) Hence to be effective, a vulnerability management program must play a key role in managing a company’s overall security posture and risk tolerance. For the IT team, however, aggregating and correlating vulnerability and incident data will result in improving security. The vulnerability management program can show how internal activities as well as external incidents can impact the modern enterprises’ risk profile via trending, prioritization, and relevance correlation. Such an extended view into the security posture helps in gauging the success of activities such as patching, system maintenance, network redesigns, and impact of new devices or applications as well as identifying other areas for improvement.

There are three crucial steps in an effective vulnerability management program. The first step is data aggregation across various scanning tools, system policy audit tools, and device configuration assessment tools. This is followed by prioritization in remediation, by establishing clear groups of assets on geographical, operational, and technological boundaries. The third and last step is continuous analysis and improvement, to understand how the various changes in the IT infrastructure and the threat landscape affect the attack surface of the company and actively work at reducing it.

A modern IT enabled enterprise has multiple mechanisms in place to meet the requirements like asset management systems, change management processes, inline IPS devices, vulnerability assessment tools, and audit tools. However, most lose out on the first step, i.e. data aggregation across these multiple mechanisms. It may be reasoned that having all the mechanisms in place is enough to meet the defined point objectives but that eventually doesn’t provide the practically possible amount of attack surface reduction or ROI that a modern enterprise should actually expect out of the entire process.

With a properly designed asset management system in place, the enterprise can identify criticality levels amongst its assets by accurately distinguishing between end-user desktops, servers, staging environments, local applications, network applications, and so on. This allows ease of deployment and management with well-defined boundaries between the various teams involved. With an inline IPS solution in place there is an accurate visibility of the malicious traffic flowing in the enterprise network. With data being correlated between the assets and the network-based threats being focused on such assets, it provides a very clear view of the attack surface of the enterprise as well as the directions in which the most immediate remedial actions are required to be taken. It is also possible to have dynamic vulnerability management programs that react and respond to information about potential network threats and automatically update the configuration for the inline IPS solutions. The higher the level of remedial actions undertaken at the IPS level, the lower the immediate human interventions required, and the faster the attack surface reduction for the enterprise. This also frees up resources for focus on really critical issues in the enterprise. So, by such data aggregation, there is a clear identification on which assets need to be protected first, how best they may be protected, at what level, and there is an overall umbrella cover over the assets by an inline IPS solution that can enforce dynamic rule-sets for different zones in the network in appropriate ways. This is an excellent way to have an efficient and continuously updating mechanism for overall attack surface reduction for an enterprise with the added benefits of reduction in resources required.

The aggregated data also lets the enterprise have relevant and accurate reports with minimal false positives. Such data allows the reports to be useful for the enterprise or a subsection of the enterprise based on asset classification or physical locations for any internal and external compliance, and regulatory or policy audits. Such detailed reports also help in demonstrating the ROI of the individual point solutions and the overall integrated vulnerability management solution. In case of any network security incident, such data aggregation allows the IT and security team to track and trace the root cause of the problem in a quick, convenient, and sensible way rather than wasting time in going through the logs of various point solutions. Clear indications can be realized as to the cause of the vulnerability and the steps required to resolve or mitigate them rather than just modifying specific ACL and IPS rules without a clear understanding of the real cause of the problem.

Hence, it can be concluded that a well designed vulnerability management program, when integrated with intrusion prevention systems, can offer a modern enterprise a deep view into its IT landscape, the threats affecting the landscape and its own attack surface, and the various feasible means to mitigate the threats and achieve the best ROI from the solutions and resources in place in the modern enterprise.

The author is Consultant at SecureSynergy.