Prevent, respond, investigate

Implementing sound security policies and procedures can lay the foundation for an effective incident response strategy. But if information technology managers want to protect networked resources from security incidents before, during and after an attack, they will need an arsenal of tools at their disposal.

Agencies should consider a range of technologies to prevent security incidents. But if attacks get through, they need tools that can help them respond quickly. Those tools should include asset, vulnerability, security event and information management software; network and host-based forensics; and help-desk systems, experts say.

An effective incident response plan should include an integrated set of technologies that enable IT managers to discover intrusions and defend their networks and systems, said Michele Perry, chief marketing officer at Sourcefire, a maker of products that detect and prevent intrusions.

"Incidents can be all over the map," Perry said, adding that the best form of defense is a policy-based response engine that alerts security managers to violations. Sourcefire's 3D System combines intrusion detection and prevention with vulnerability management technology.

3D System consists of Sourcefire Intrusion Sensors and Agents, Real Network Awareness (RNA) Sensors, and Sourcefire Defense Center. Built on Snort, an open-source rules-based detection engine, the intrusion sensors use signature-, protocol- and anomaly-based inspection methods to detect threats. The technology comes as easy-to-deploy security appliances.

RNA Sensors monitor network assets such as firewalls, PCs, routers, servers and wireless access points. The Defense Center aggregates and correlates all threat information culled from sensors and agents. It prioritizes the large volume of security events to help IT managers determine the most critical incidents, Perry said.

Symantec is also taking an appliance approach to incident response. To help users understand their environment's security, by the end of the month the company will begin offering an information management tool that performs event correlation, aggregation and storage in one appliance, said Rowan Trollope, vice president of security management solutions at Symantec.

People need technology that is easy to deploy, Trollope said. The Symantec Security Information Manager 9500 Series provides real-time integration of global early-warning threat intelligence and event correlation.

The product integrates correlation technology with the company's DeepSight Threat Management System to deliver continuous security intelligence updates, such as automated security alerts, known vulnerabilities, safeguards and attack signatures. Administrators can view updates at an integrated console, he said.

Chris Michael, technology strategist at Computer Associates International, said the principles of modern air warfare developed by Col. John Boyd, an Air Force fighter pilot during the 1950s, can be applied to incident response.

Security managers need to observe and collect information from their environment. Then they need to adjust their networked environments to deal with the threats. All of the pertinent information they need is generated in systems and security device log files. The problem is "now we don't know what is going on because there is too much information," Michael said.

The nexus of CA's incident response tools is the eTrust Security Command Center, which collects log file information and helps security managers understand if any suspicious activity occurs on their networks and how they should respond to certain events.

Other CA products can be integrated with Security Command Center to give users a clearer picture of their environments, he added. An asset management product collects pertinent information about the desktop computers and servers on a network. "This is important information that can be brought into the Security Command Center" because you need to know the security status of systems on the network to protect it, Michael said.

The eTrust Vulnerability Manager software also works with Security Command Center. If an attack is in progress, a security manager can see whether it will succeed. Maybe it targets a specific type of Web server that the organization doesn't have. Or the agency could have up-to-date security patches. The vulnerability management information will help a security manager make those determinations, Michael said.

CA's Service Desk, a help-desk system, also has links to the Security Command Center. Incident information can be sent to Service Desk, which generates a trouble ticket. Michael said managers can track how security analysts respond during an incident. This information helps continuously improve the organization's security status, he said.

Finally, the eTrust Network Forensics product acts like a video camera, recording network traffic. "Once you determine something bad has happened, you can go back and replay an attack and analyze it," Michael said. This analysis can help prevent similar attacks in the future. Organizations can also use the information as part of investigations to track down intruders and prosecute them.

As organizations deploy more automated tools to prevent or respond to incidents, IT managers must remember that technology is not a panacea, said Michael Gavin, an analyst at Forrester Research.

"You still need the human element," he said. "You need someone with reasoning capabilities to put things together."