Common Failures of Information Security Tools (Part 2)

HIPS can miss attacks or wrongly block legitimate actions. Log management may fail to capture necessary events or confuse analysts with poor reporting. Vulnerability management tools may miss patches or crash systems during updates. Prepare test plans to validate changes don't disrupt operations.

In an earlier note I discussed some of the ways in which network firewalls, WAFs and antivirus technologies can fail, despite the best intentions of their creators and operators. I’d like to continue the survey of unwanted side effects of information security tools by looking at a few more categories of infosec products:

Host-based Intrusion Prevention Systems (HIPS) are designed to block malicious actions on the local host, and sometimes overlap in their capabilities and adverse side effects with behavior-monitoring antivirus tools. HIPS typically have a broader scope, looking at logged events, file integrity, exploit detection, etc. They could fail to identify an attack (a false negative) or they could wrongly block a legitimate action (false positive).

Log management tools consolidate and report on security events from the various components of the environment. The configuration may fail to capture the necessary events. The tool may also report on events in a way that confuses the analyst. Though log management technologies are often used solely for monitoring, sometimes organizations can trigger defensive actions when a particular pattern is seen in the log. Poorly defining the pattern can deny services to a legitimate entity.

Vulnerability management tools can incorporate security patch distribution capabilities, which may fail to distribute the necessary security updates, or may roll out a patch that crashes the system or application. Along these lines, vulnerability scanners may fail to identify missing patches, or may overwhelm the user with irrelevant findings that drown out the meaningful weaknesses that need to be addressed.

Adverse side effects are often seen when organizations update the configuration of the respective security tools, inadvertently introducing changes that break legitimate services or render controls ineffective. In anticipation of this, prepare and follow a practical test plan to validate that a change didn’t disrupt operations or introduce unwanted risks. Similarly, consider what side effects might arise from the initial deployment of the security technology, accounting for them during the purchasing decision and also as part of the roll-out of the tool. Lastly, consider what processes are in place to make it harder for the tools’ users to misinterpret the tool’s output.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →