written by Pierluigi Stella
When I started delving into security, two of the first words I learned were identify and remediate, a phrase to mean that you’d identify a problem and fix it. That said, what does “identify a problem” mean? Typically, it’d encapsulate things such as running a vulnerability assessment (or, better yet, a true penetration test), finding all the pain points, and making a plan to fix them (remediation).
Most of the literature I’ve found on this topic still refers to classify and remediate in these terms. In the meantime though, I’ve noticed that some companies are using these terms in a very different way and making lots of strides in marketing their products with scare tactics, using big terms.
Many years ago, we used to install IDS, which would produce hundreds of pages of reports and, once each day, we’d pore over those pages to find correlations and identify possible threats. After that, we’d make configuration changes, mostly to the firewall, to block those threats.
With the passing of time, we’ve built tools that no longer require such human intervention, for many reasons. Aside from being inconvenient and demeaning for someone to spend his or her life poring over hundreds of pages of logs on a daily basis, it’s also incredibly inefficient and easily plays into the hands of hackers. With modern hacking counting on automated tools that change the threat at a speed beyond human comprehension (let alone capability), relying on human analysis is, to say the least, obsolete (I’d venture further and call it obscene at this point).
As such, we’ve created tools that identify threats in true real time and block them, automatically. These are called IPS – intrusion PREVENTION systems. Prevention is key here; you want to block the attempt at intrusion as it starts. You want to change the paradigm from having a camera that gives you a picture of the thief, to a guard that blocks the thief at the doorstep. If a packet can be malicious, block it.
An evolution of this concept consists of integrating the IPS with the firewall; allowing the firewall to do most of the work as it’s faster and much more accurate. Then scan the traffic that passes through with the IPS and, if the IPS determines that a packet is a threat, tell the firewall to drop that connection, so no further threat packets can pass through from that sender. This is what many are calling the NextGen Firewalls, which, incidentally, are old news now. Network Box has had this concept since 2000; only relatively recently has the industry has caught up with it and given it a formal name.
Since this approach makes a lot of sense, you’d expect that the entire security industry would move in that direction and abandon the concept of IDS. In a way though, IDS still has merit within a LAN; it can identify malicious traffic within the LAN and provide alerts on local activity.
Enter the concept of ‘classify and remediate’. I’ve run into this more than once lately. There are companies that make a fortune telling their customers that they’ll monitor the traffic and alert them if something’s trying to come in. And I’ve even seen such “alerts”. One of them went like this “IP address xyz is sending a PHP exploit to your web server; please make sure your server is patched”.
Seriously? That’s their take on security? Please, make sure your server is patched? I was (and still am) flabbergasted at such daring. I’m not talking about small companies who are trying to make a living creating unneeded panic. I’m talking about large security companies that instead of blocking the traffic and protecting their customers using an IPS, use an IDS to alert and ask the customer to ‘remediate’. I feel as though we’ve gone back 15 years and found a way to market an old concept. We’re using the concept of classify and remediate as a viable protection from Internet threats.
Well, I’ve news for all of you attempting to do this – it does NOT work, and it’s the reason why so many companies are falling victim of hackers left and right. You cannot “remediate”; you need to block before the issue even starts. Having the ability to identify a threat floating inside a LAN is important. But if you truly want to be protected from Internet threats, stop thinking in terms of classify and remediate, and start thinking in terms of active protection, real time blocks, a barricade against each and every threat that the Internet is going to throw at you.
Knowing that IP xyz is scanning your ports is irrelevant and unnecessary. It makes for a nice graph you can present to the board of directors, but nothing more. What you really need to have is a system that will BLOCK such threats; so that IP xyz can knock at your door as many times as it wants; if you’ve configured things properly, the door will never open and those “threats” will continue to be caught, and blocked at the edge of your network, unfailingly, like only an automated system can do.
If you’re still relying on human intervention for your protection because these companies have convinced you that it’s the way modern security works, it’s time you look around and get yourself some REAL security.