Security tools: sometimes it seems that we never have enough to keep up with the task of protecting the enterprise. Or, at least it seems that way when walking the exhibit floor at most technology conferences. There’s a veritable smorgasbord of tools available, and you could easily spend your entire day looking for the perfect solution for every problem.
But, the truth is, IT teams at most organizations simply don’t have the budget or resources to implement dedicated security tools to meet every need and technical requirement. They’re too busy struggling with Cloud migrations, SaaS deployments, network upgrades, and essentially “keeping the lights on.”
Have you ever actually counted all the security tools your organization already owns? In addition to the licensing and support costs, every new product requires something most IT environments are in short supply of these days—time.
Optimism fades quickly when you’re confronted by the amount of time and effort required to implement and maintain a security tool in most organizations. As a result, these products end up either barely functional or as shelfware, leaving you to wonder if it’s possible to own too many tools.
There has to be a better way.
Maybe it’s time to stop the buying spree and consider whether you really need to implement another security tool. The fear, uncertainty, and doubt (FUD) that drives the need to increase the budget for improving IT security works for only so long. At some point, the enterprise will demand tangible results for the money spent.
Try a little experiment. Pretend that you don’t have any budget for security tools. You might discover that your organization already owns plenty of products with functionality that can be used for security purposes.
What about open source? It isn’t just for academic environments. Plenty of large, for-profit organizations such as Google® and Apple® rely on open source software to build and support their own products. Open source can be reliable and even complement the commercial software in your existing portfolio. Additionally, many vendors originally started as open source and continue to maintain free community edition versions.
A recent trend in security is anomaly detection. If you can’t afford a dedicated tool, why not leverage existing monitoring systems for this purpose? Many of these tools track performance to create baselines and alert on unacceptable thresholds. While an alarm could be caused by hardware or software failures, alerts can also be the sign of an attack.
For incident response, data from a monitoring system can be correlated with information from security tools to help determine the scope of a breach. Many monitoring products even provide canned reports for compliance initiatives such as PCI DSS and HIPAA.
Your enterprise wireless management system (WMS) is a great example of a multifunctional monitoring system. It’s loaded with features such as threshold monitoring, rogue detection, alerting, pre-built security reports, and even some basic firewall features. It’s enough to make your auditors weep for joy.
Netflow is more than just a network tool. The data from your collector is another helpful resource for identifying anomalous traffic, which could be a sign of a breached system and data exfiltration by an attacker. In general, network analysis tools can be very useful during security investigations as they can reveal much about malware behavior and attack scope.
How about your configuration management systems? In addition to limiting access by centralizing changes, these tools can also automate patching and provide audit trails. Some asset management systems can even be used for file integrity monitoring (FIM) or application whitelisting. There are also open source host intrusion detection systems (HIDS) such as OSSEC, which also provide FIM functionality.
Think you can’t block traffic without a firewall? Think again. Every managed layer-3 device has the ability to implement access control lists (ACL). While you won’t get some of the advanced or NextGen features vendors love to brag about, in many cases, an ACL will meet your needs, and, without the performance impact your network might experience when turning on all the features of a firewall.
If you own load-balancers, a.k.a. application delivery controllers (ADC), you also have some excellent built-in security controls. These devices do more than add high-availability to critical applications. Load-balancers provide application and network denial of service (DoS) protection through mechanisms such as SYN cookies, protocol checks, and connection throttling.
With the right add-ons, most Web browsers can be turned into tools for application analysis, testing, and reconnaissance. Most of these extensions are free; all you need to do is spend the time to find the ones that work for you. But in a pinch, the Google Hacking technique popularized by Johnny Long is still a viable option for determining your organization’s weak spots. You can even use no-cost online malware analysis and sandbox sites such as Wepawet and Virustotal for crude incident response.
DNS sinkholes, used for blocking access to malicious domains, have matured into the more easily manageable BIND Response Policy Zones. By adding an automatically updated reputation feed, your DNS server becomes a practical security control that can block access or redirect traffic to an internal remediation site.
White hat, black hat, grey hat; they all use the same tools for security testing. And you can use them, too. Whether you choose Kali®, Security Onion®, or Pentoo Linux®, you’ll find enough security tools inside these open source security distros to keep you busy assessing your own organization. Many of the tools even have commercial support contracts available.
Threat intelligence services can be expensive. However, there are inexpensive or even free versions from information sharing and analysis centers (ISAC) and organizations such as Team Cymru and Shadowserver™.
Social media is also a handy tool for monitoring the latest threats and vulnerabilities. Most security researchers and hacktivists maintain Twitter accounts and love to post information about breaches and zero-days, providing even faster updates than Reddit®.
Good security is about managing risk, not tools. Resisting the siren song of the latest product sales pitch doesn’t make you a cheapskate; it makes you a discerning buyer who understands that there is no quick fix to building a more secure enterprise. Most often, it’s not about having the best tool, but having the one that does the job. Moreover, the more tools you have, the more you have to manage, which can increase your liability, cost, and organizational risks.
For more information, you can view a webinar on this topic here.