Must-Have Security Tools and the Risks You Need to Know: Part 1
In a blog post from earlier this year we documented the flaws associated with the five most commonly used IT security tools. (You can also download our “How Five Common Security Tools are Leaving Your Network Vulnerable” datasheet.) In this two-part follow-up series, we’ll provide a closer examination of each of these common tools, recapping the flaws you need to know as well as additional risks your IT security team should be aware of and prepared to address. With a suggestion or two from us.
The gaps in next-generation firewalls
While firewalls remain the most essential component of any business’ security environment, the truth is most firewalls can be bypassed by attackers in one of three ways: the use of encryption, unprotected mobile devices introduced to the network, and the use of applications designed to connect outside of the firewall, such as Google and other vendors that use “pinned keys” that require holes to be punched through the firewall in order to function.
There are additional risks, some of which can be addressed simply by being vigilant and enforcing strict guidelines to maintain firewall integrity. For example, some organizations have their passwords set to default, an obvious risks that is sometimes overlooked during implementation and leads to accountability issues when networks are compromised. Similarly, organizations overlook software that is outdated or no longer supported, opening the door wide to remote breaches and denial-of-service attacks. Anyone who can access the Internet could potentially exploit the firewall via an unencrypted connection or open wireless network.
Remember too that documentation is key. Network protocols, software settings, and business rules that exist without documentation inevitably lead to security management issues, especially when administrators leave your organization unexpectedly.
When antivirus is anti-protection
For antivirus solutions, the challenge is identifying the signatures of a constantly growing pool of increasingly damaging viruses. Not the least of which are polymorphic viruses whose code mutates while keeping their original algorithm intact. Meanwhile hackers are using the latest antivirus tools to train themselves and test the detectability of their latest work. They are determined to stay one step ahead of the security developers, which is why the industry is seeing major vendors stepping back from traditionally lucrative security products.
At the same time, vendors are under pressure to make the latest versions of their antivirus solutions available as quickly as possible, leading to vulnerabilities in the programs that there hasn’t been time to fix, or that haven’t been discovered. Hackers are keenly aware of these vulnerabilities, often targeting new or hastily launched software and having increasing success. Antivirus software is as only as effective as the vendors who develop it. If they miss a critical gap or fix, you might be the one who pays for it.
The seams are showing in SIEM solutions
Like other log management solutions, security information and event management (SIEM) software is reactive and inefficient. SIEM solutions are helpful in finding evidence of an attack, but only if you know where to look. Your team can spend several days analyzing logs just to establish a correlation between a logged event and a problem. That’s before attempting to address causation and remediation. What’s worse, during this time the damage is being done. Additionally, most SIEM systems are not cloud friendly, leaving another significant gap in your security program.
Other challenges prevent organizations from maximizing the benefit of SIEM software, including lack of skills and inadequate staffing. Most organizations struggle to devote more than one employee to SIEM monitoring. While they are a valuable asset to enterprise systems and the need to improve threat identification and intelligence, SIEM solutions can be very costly. Solutions are difficult to implement and require constant tuning to be effective.
In part two of this series, we will examine the risks behind malware removal software and IDS/IPS systems, and the role endpoint modeling plays in mitigating some of these risks.
Getting better visibility into your network and improving your security couldn’t be easier. Sign up for a free, no-risk trial of Observable’s Endpoint Modeling solution, and change the way you see security.
Detect Threats Faster – Start Your Free, No-Risk Trial