Sunday, April 11, 2010

Journal Two - Incident Response and Intrusion Detection

Security Industry Fails to Protect Business Customers
Robert McMillan - March 12, 2010 http://www.computerworlduk.com/management/security/cybercrime/opinion/index.cfm?articleId=3134&pn=1
According to Mr. McMillan, recently at the RSA Conference, security vendors pitched their next generation of security products, promising to protect customers from security threats in the cloud and on mobile devices. But what went largely unsaid was that the industry had failed to protect paying customers from some of today's most pernicious threats.
One of the hot topics was advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December 2009. It was apparent that despite billions of dollars in security spending, it has still been surprisingly hard to keep corporate networks safe. Once hackers are in, they can easily break into other computers, steal data, and then move it offshore. Incident response teams have to be perfect, or at least very quick about spotting intrusions, to keep APT attacks under control.
Traditional security products are simply not much help against APT attacks, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. "All of the victims we've worked with had perfectly installed antivirus," he said. "They all had intrusion detection systems and several had web proxies scan content." The problem is that the hackers also know about these anti-virus and intrusion detection products and they can buy them and then test them until they find right holes to get through.
Antivirus blocks "the vast majority" of all attacks and intrusion detection products can still help stop most intruders. “But ultimately, enterprises must also develop ways of responding to new threats and intrusions.” Technology vendors want to sell a complete product, but it's really not possible to buy your way into a secure environment. That takes a bigger commitment. "It's all about user awareness and procedures," Stead said. That means teaching employees about risky online behavior, and building a security team that can get the most out of the security tools it has.
"I think that at the end of the day the lesson you get from something like the Aurora incident (vulnerability in Internet Explorer) is that you have to have incident responders," Melson said. "If you're not prepped for incident response and incident containment, if you're not using actual people to do security analysis in your environment, the advanced persistent threat is going to walk right through."