One of the most difficult issues in network security is how to discover that a security incident has taken place and then how to respond to the incident in a timely manner. For example, it's a common issue where a client system is infected with a piece of malware and no system is in place that informs you that the client has the malware installed. Instead, you might have to wait until a full scan of that machine takes place on perhaps a weekly basis, and then hope the user tells you the results of that scan. Or, if you have an enterprise solution in place, you have a centralized reporting solution that tells you that the machine has a malware infection. In that case, you have to do a lot of manual work to find out who the logged in user was when the machine was infected, how the infection might have taken place, and what that malware might have done to that machine and to other machines during the course of the infection. There is a lot of administrator overhead in this scenario.
But what if you had a solution that was actually able to inform you that a machine is exhibiting suspicious behavior. For example, your firewall is receiving a port scan from a computer, which it had never received a port scan from before. Your firewall could find out the FQDN of the machine that issued the port scan, the name of the process running on that machine that issued the port scan, the logged on user when the suspicious behavior began, and then even take action such as preventing that machine from connecting to the network until you take administrative action of allowing that machine back on to the network.
This kind of proactive monitoring scenario offers you some significant advantages. The major advantage is that you as the security administrator are not really concerned with the technology that detected the possible security issue. What you're concerned with is the fact that a machine is showing behavior consistent will malware compromise and that action needs to be taken to limit the damage that machine can exert on other machines on the network and possible information leakage from the compromised machine. All this can be taken of for you via policy, giving you time to later look into the details of the situation to see what happened.
Next week I'm going to describe to you a solution that does all of these. And from I understand, there is no other security solution in the world that can so quickly and elegantly provide such a solution. It's an exciting time to be in the security business, so stay turned for more!
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
MVP - Microsoft Firewalls (ISA)