Self Defending Network - Are We There Yet?

Been doing a lot of reading and in the course of that reading I've been seeing a lot in the ways of security analytics. To that end, it seems when you talk about security analytics you eventually arrive at the idea of the self defending network. A network that will detect a threat, block it, and then plug the hole that allowed it to happen in the first place. With that I am thinking about the current state of affairs with cloud computing and can't help but believe that we are just about arriving to a world of self defending networks. Between network virtualization and the use of SDN along with virtual servers utilizing Puppet/Chef we've basically (as it appears to me) come at least 70% of the way. It seems that perhaps the piece that is missing is the complete automation and even now I think we are just about there. The only flaw that I see is from the desktop side of things, but if you can secure the network and servers that leaves more people to deal with the desktops. Even then, should be fairly simple for the network to detect the compromise and then cutoff the offending desktop till someone can look at it.

Thoughts?

Find more posts tagged with

Comments

Vask3n

Even on the desktop side of things we are getting close, we have host-based intrusion detection systems that are able to implement active-response. An example of these is OSSEC which I write rules for once in a while.

I actually have the Cisco Press book "Self-Defending Networks" so I was intrigued by this thread. One of the difficulties is minimizing false positives without increasing false negatives, and sometimes its easier for a human to pass judgement or determine the best course of action than a machine. However, for basic things like blackholing/blocking an address that is performing brute force attacks, I think we are already actively using these tactics.

the_Grinch

I hear you on OSSEC as that is a tool that we utilize with a lot of success. My concerns, at least on the desktop side of things, is the multipurpose nature of desktops. Pretty easy on the server side to say only this software needs to be on it (web server, database, AD, etc). Where as with the desktop you are looking at all types of software being installed and leaving that many more vectors to defend. I can agree that minimizing false positives is a lot better on the human side of things. I know from experience that we catch more false positives then actual attacks. That being said, we have caught a live attack through a stringing of events that would have been missed if not for the tools we had.

Going to definitely look at the Cisco Press book! Thanks for that!

YFZblu

Automated network defense will mature naturally, as research/time goes on. That being said, this is a game of cat-and-mouse...and I don't think that will ever change.

I would argue that my current org has almost eliminated commodity malware from the environment using automated tools with strict-ish settings enabled - but more targeted stuff is what large organizations are really worried about, and that type of response won't ever be automated IMO.

the_Grinch

I guess the question in regards to a targeted attack is how often are they utilizing a method currently unknown to security practitioners? Thus while it may be focused on an individual company the method would more then likely be something already in the wild unless it involves a serious 0day or some custom application used no where else. Not arguing as I do believe there is a lot of merit to your argument just looking to stir up the discussion.

DevilWAH

NO such thing as an off the shelf solution that will defend against all possible attacks. This term has been throw around since the first network had access lists created to control access.

All that is happening is that networks security is getting better and sifting though events and high lighting possible issues, then either taking its own steps or alerting a admin to do some thing. but at the end of the day its like any program and it can only do what it has been programmed to do. So should an attacker or bit of malware be designed that is out side of what the designers of the security systems imaged then its not going to offer much protection. Yes the better ones can adapt to malware based on a theam but one it changes too much they are simple calculating probabilities and as soon as they calculate one that is not 100% either way then there is a chance it will get it wrong. False positives are bad, false negatives can be worse (although a false positive that causes the system to take critical systems of line is not good!!)

Computers for the time being are better than us are raw calculations, but they fail when they have to do trouble shooting and make choices. Systems are getting better but no where near infallible.

YFZblu

the_Grinch wrote: »

I guess the question in regards to a targeted attack is how often are they utilizing a method currently unknown to security practitioners? Thus while it may be focused on an individual company the method would more then likely be something already in the wild unless it involves a serious 0day or some custom application used no where else. Not arguing as I do believe there is a lot of merit to your argument just looking to stir up the discussion.

My definition of 'APT': A person(s) that is willing to do anything to establish a foothold within the target organization.

It's not that they're using unknown methods all the time; it's that they're willing to try and try until they have evaded detection. IP addresses are disposable, code can be modified, zero-days can be discovered, etc.

...it is a good discussion to have, however. I can't tell you how many times executives have asked me: "So, we're good...right?" - It'd be nice if I could say "No, we're not good. We need to keep searching...". But I can't...so it should always be an open-minded, interactive discussion between security people and everyone else.

darkerosxx

I'm actually working on a self-healing network project, so I can see self-defending being a project in security.

One thing recently said by one of the inventors of the internet is that the greatest danger in our future is computers making mistakes. They're becoming more powerful as we lean on them and give them more responsibility. Make sure your code is written so mistakes fail gracefully and don't cause something catastrophic.

tpatt100

darkerosxx wrote: »

I'm actually working on a self-healing network project, so I can see self-defending being a project in security.

One thing recently said by one of the inventors of the internet is that the greatest danger in our future is computers making mistakes. They're becoming more powerful as we lean on them and give them more responsibility. Make sure your code is written so mistakes fail gracefully and don't cause something catastrophic.

Name it Tron please

MrAgent

The University that I am attending was awarded funding to work on something like this.

Mason Researchers Receive $6.25 Million to Prevent Cyber Attacks - Mason News - George Mason University

the_Grinch

Yeah I definitely agree that off the shelf will be a big no no in this realm. Every network is different and you need baselines along with someone who truly understands to successfully setup a self defending network. I guess my thought is you provide the base and then work to get everything "customized" to the network you are defending. Excellent discussion points so far all!

LinuxNerd

the_Grinch wrote: »

Been doing a lot of reading and in the course of that reading I've been seeing a lot in the ways of security analytics. To that end, it seems when you talk about security analytics you eventually arrive at the idea of the self defending network. A network that will detect a threat, block it, and then plug the hole that allowed it to happen in the first place. With that I am thinking about the current state of affairs with cloud computing and can't help but believe that we are just about arriving to a world of self defending networks. Between network virtualization and the use of SDN along with virtual servers utilizing Puppet/Chef we've basically (as it appears to me) come at least 70% of the way. It seems that perhaps the piece that is missing is the complete automation and even now I think we are just about there. The only flaw that I see is from the desktop side of things, but if you can secure the network and servers that leaves more people to deal with the desktops. Even then, should be fairly simple for the network to detect the compromise and then cutoff the offending desktop till someone can look at it.

Thoughts?

My thought is that self defending networks will be the norm in a few years and this will lead to the cyber security bubble popping and only a few top people left in the industry. A security team could be replaced by one or two highly skilled individuals.