Security Operations Center:
This white paper explains the evolving needs for vulnerability assessment, the special requirements inherent within large enterprises, and how SecureScout SP from netVigilance meets those needs.
Overview - the Power of Vulnerability Assessment
Intrusions into corporate networks by Hackers, Virus', Worms, Trojans and other forms of Malware are increasing exponentially year to year. The costs associated with confronting cyber attacks in terms of loss of business, loss of productivity, loss of shareholder confidence, fines, litigation, regulatory penalties or even jail time threaten to spiral out of control if the problem is left unchecked.
Even though the number of threats to our data assets are increasing at an alarming pace; the actual number of known vulnerabilities that these threats exploit is staying relatively flat. Finding and fixing network vulnerabilities before they can be exploited, greatly reduces the likelihood of a catastrophic attack.
In a 2005 survey of 1400 CIOs, a majority 35% listed network security as there top initiative and greatest concern1. Another survey conducted jointly by Computer Sciences Corp. and the Financial Executives International (FEI), only 20% of CFOs are satisfied with their corporate security operations center policies, 24% chose increased information security as their chief concern2 and foresee network security expenditure to increase over the next several years.
With a dizzying array of network security products to choose from, the customer has a daunting task of deciding which methodologies to deploy for the maximum price / performance ratio. One must choose carefully to find solutions that have the greatest impact on reducing your cyber threat profile, with the least impact on your budgetary and manpower resources.
Network security operations center solutions are typically divided into two primary classes: Preventative and Responsive. Some types of responsive techniques include:
- Intrusion Prevention, Content Filtering - block transmission of suspicious traffic based on pre-defined signatures. These systems can be easily fooled by slightly altering the appearance of the malicious traffic.
- Intrusion Detection, Systems Monitoring - detect anomalous traffic that might be an attack and alert system administrators for countermeasures.
- Anti-Virus - trap viruses and repair damage if possible.
- Forensics - perform an investigation of an attack, and attempt to determine the extent of the attack, scope of damage, evidence of perpetrators, and gain knowledge to improve systems for future attacks.
However, reactive security tools are not able to stop the majority of hacker attacks, for two primary reasons:
Reliance on previously detected attacks - Solutions that seek to block or detect attacks require some degree of an attack signature. This could be tell-tale exploit code, a source address of the attacker, etc. Unfortunately, the only way to get a signature for the attack is for either you or another company's network to be attacked.At that point, the vendor/solution provider can gain detailed information about the attack and either update their software or reconfigure the systems to block this attack. By this point in time, significant damage can be caused by the attack.
Most attacks use mandatory protocols - Electronic mail and web surfing are indispensable parts of nearly every organizations' everyday life. Hackers recognize this and are able to develop malicious self-propagating code that exploits the email and web standards that must be in place to allow global communications. It is extraordinarily difficult to differentiate between good and bad traffic for an authorized protocol, which explains why attacks like Code Red are so destructive.
The irony associated with limitations of reactive solutions and the billions in losses is that virtually all of the attacks were based on previously known vulnerabilities that were patched by technology vendors weeks, months or years in advance.
In addition, a recent study on hacking showed that, on average it took 34 hours of forensics research to uncover and understand a hack, while it took the hacker less than a minute to crack the system. Obviously, proactive solutions are needed. Vulnerability assessment fills this need.
The role of Vulnerability Assessment in Security Operations Center
By performing regular vulnerability assessment, it is possible to identify weak points throughout the network, from the perimeter and server systems down to each and every client PC. Systems can be vulnerable for a variety of reasons: incorrect configuration, software bugs or simply antiquated software versions.
