Most security organisations within an enterprise are very vulnerability focused. And they should be. New vulnerabilities in software and hardware products are announced almost daily and if left unchecked; these often lead to breaches, intrusions, downtime and financial losses. Therefore organisations do strive to identify and understand vulnerabilities, and in fact most have become very adept at remediating and ridding their networks of them (the ones that they know about).
The Microsoft patch Tuesday exercise has become routine for most organisations as they move promptly to eliminate vulnerabilities in their systems. In fact, vulnerability is most often remediated with patches but for many reasons, that might not be a viable option or ensure that systems are protected. This is where security appliances in many forms come into play. These products are the front line to prevent exploitation of vulnerabilities. There are vulnerability indexes, signatures for attacks and a world of tracking via CVSS, CVE and other vulnerability and exploit focused mechanisms.
This concentration and focus on vulnerability is important, but more organisations need to think seriously about security resiliency. For purposes of our conversation here, consider vulnerability the risk that has been identified that must be mitigated (if not a successful attack may play out or there may be compliance consequences for a failure to eliminate vulnerabilities). Resiliency on the other hand is about knowing how security will perform when called upon to do so. How does detection accuracy change as conditions change? What about the scalability and performance of security devices as load changes or the applications mix is varied (and made to simulate real-world on your network)?
For most organisations this is an area where there exists a fair amount of uncertainty and likely few data points on the actual security resiliency of devices that have been deployed or are under consideration. Most groups can answer vulnerably questions, but have much more uncertainty when it comes to answering resiliency questions. Why is this?
- It can be challenging to know what to test and actually build tests to validate resiliency
- The gear required to fully exercise products and assess resiliency can be significant (even with VMs)
- Creation of the real-world application required for meaningful assessments traffic is difficult
- Gear used by equipment manufacturers and service providers to test resiliency can be out of reach of many enterprises
Building real world proof of concepts and lab setups that can test security resiliency are happening at organisations that are forward thinking and have moved from a vulnerability focus. As organisations get better at patching and putting in place protections systems intended to block exploits, attackers will evolve their tactics. One of those attack methods is to create conditions that challenge the resiliency of security products, attempting to evade their protections or render the product ineffective.
From the point of product selection through deployment and maintain, resiliency is something that warrants a closer look. Technologies and products are available now that can help an organisation have a more balanced view of security, moving from overly vulnerability-centric to comprehend security resiliency. But it is not just a technology issue; it is an organisational maturity issue. More advanced security programmes are adopting a resiliency view and including this in their budgets, proof of concepts and product selection processes.
Vendor data sheets and third party test labs provide data points to guide decision making, but don't provide a guarantee that your security infrastructure will be resilient when challenged by extreme loads, diverse application mixes and unfriendly attack techniques. It's time to take a closer look at security resiliency and some of the options to remove uncertainty.
Contributed by Fred Kost, VP Security Solutions, Ixia