The Science of Host Based Security
A New Resolve
A shift in doctrine is in the works surrounding network security management. Just a few years ago, the focus of enterprise security was primarily split between perimeter security and authentication controls. Security engineers spent their time mulling over firewall implementations, access rights, and the occasional implementation of encryption technologies.
A new movement though has overtaken the industry as security breaches have become more and more common despite perimeter defenses. According to Gartner, an estimated 70% of security breaches are committed from inside a networks perimeter. This in turn is responsible for more than 95% of intrusions that result in significant financial losses. As staggering as this statistic is, it is coupled with the advent of tools like Netcat and Nmap that can be used to bypass most port blocking perimeter defense systems such as firewalls. In addition, the increase in popularity of web services and internet commerce has brought with it the usual tirade of prematurely released software littered with security holes.
All of this has forced enterprises to start reassessing security again from a host based perspective. This "new" doctrine is a throwback to computing security practices before the rise of the internet that includes everything from physical and procedural security practices to host based vulnerability management. In turn, security managers are focusing on vulnerability assessments of their systems, applications, and examining their interactions with other hosts.
Call it prudence or oversight, new federal statutes have not only made host based security a necessity but rather the law; complete with fines and criminal consequences. Nearly every industry has been charged with a regulatory mandate that can only be fully addressed by applying host based security methods. The health care industry has HIPAA, while the financial industry has the Gramm-Leach-Bliley Act. Publicly traded companies have to answer to the Sarbanes-Oxley Act. And let's not forget the anti- terrorism agenda of Homeland Security for any company private or public that is deemed to be essential for national security.
This of course has created a need for security managers trying desperately to keep up to date with every new vulnerability or exploit that is discovered. While the numbers vary, some sources estimate that anywhere from 10-100 "newly discovered" vulnerabilities permeate across the internet news boards every day. Advisory services have sprung up by the dozens and the Usenet groups have once again become an essential stomping ground for IT managers. It is typical to see a security engineer subscribe to at least 3 advisory lists and 5 or more Usenet groups. This creates dozens if not hundreds of emails to peruse everyday in what can seem to be an impossible task of keeping up to date with new security threats.
Out of this quagmire, many new products have emerged to help alleviate the administrative burden of keeping systems up-to-date. Two similar yet distinct product lines try to tackle this head on: vulnerability security scanners, and vulnerability assessment correlation solutions.
Vulnerability Security Scanners
Vulnerability Scanners take a very straight forward approach to host based security. In what is known as a "black box" or blind methodology, these solutions scan your network against up-to-date databases of known vulnerabilities. Hosts and services are first identified to the best extent possible and then correlated accordingly. These scanners go so far has to script weakened versions of known exploits with the promise of delivering administrators comprehensive reports on security infractions across their entire infrastructure. In effect, this transfers the responsibility of identifying newly discovered exploits to the vendor and in so doing, reduces the administrative burden of attaining and maintaining a high security profile.
One notable commercial product in this space is Foundstone Enterprise(tm) vulnerability management software from Foundstone, experts in strategic security. Foundstone Enterprise boasts a very quick and efficient solution by which thousands of hosts can be scanned in a relatively short time. A network asset identification scan is followed by vulnerability checks and scripted simulations of hacker exploits in order to granularly define open vulnerabilities. Very detailed reports are generated and administrators are empowered with prioritized task lists for security remediation. In addition to being the fastest and most accurate commercial scanning solution available today, Foundstone Enterprise has some of the most useful reporting features for administrators and managers alike.
Freely distributed open sourced vulnerability scanners are also on the internet Nessus, SATAN, and SARA. While they have strong followings with security administrators, the reporting leaves something to be desired.
Vulnerability Correlation Solutions
Vulnerability Correlation Solutions take a slightly different approach to host based security. These new product lines take snapshots of your system and network environment and correlate it against a known database of vulnerabilities and best practices. Once an asset is identified, its current version number and installation configuration is matched against a frequently updated database. Administrators are given a prioritized task list of actions that should be taken to protect their systems and subsequently generate reports and audit trails.
The major advantage of this "white box" or trusted approach versus a vulnerability scanner is that it is for the most part non-intrusive. No exploits actually run against your systems since vulnerabilities are matched against a set of known variables: mainly an inventory of devices, installed applications, and configurations. Given that a large percentage of known exploits can result in denial of service or worse, complete application crash, it is fair to assume that a non intrusive correlation is more complete than intrusive ones.
This also makes these solutions more of a candidate realtime correlation as vulnerability scanners tend to render syslogs and intrusion detection systems worthless while a scan is running. The lack of network traffic is also attractive. The downside of this type of solution is that in true audit fashion, administrators end up with a task list of everything that should be done on their systems, regardless of whether or not they have completed the tasks already. Also, unlike vulnerability scanning solutions, vulnerability correlation solutions usually require an agent to be deployed on all systems to be audited. That translates to a higher TCO [total cost of ownership] in a large scale organization that would require a deployment across hundereds or thousands of clients.
One notable product in this area is the Vulnerability Manager by Computer Associates [formely known as the advisor by the Ernst & Young subsidiary EsecurityOnline]. VM is a vulnerability correlation solution that correlates against a database known as the Security Framework developed by Ernst & Young's network security auditing division. Reports are generated with prioritized task lists for system hardening and records are kept as to changes and patches applied for auditing purposes.
LANGuard Network Scanner by GFI is also worth mentioning as it is a hybrid vulnerability correlation solution and vulnerability scanner all in one. It's scanning engine does the usual port and services scan along with a few of the more common exploits, but in a Windows environment, GFI really shines when its armed with an enterprise or domain admin account. Full enumerations of services, user accounts, group memberships and installed patches make this tool a godsend in large Windows environments. GFI goes so far as to enumerate SNMP settings on most devices as well as provide a patch deployment solution in Windows networks.
Regardless of what solution type will dominate the marketplace, vulnerability assessment is promising to be a bright spot in an otherwise laggard IT marketplace. Already it is giving fuel to a multitude of companies offering managed services as well as a list of offshoot product lines such as patch management solutions. All in all these products are well received in the marketplace as host based security is no longer a privilege. Companies hoping to remain competitive in corporate America have no choice but to make security their highest priority.