Common Failures of Information Security Tools (Part 2)

In an earlier note I discussed some of the ways in which network firewalls, WAFs and antivirus technologies can fail, despite the best intentions of their creators and operators. I’d like to continue the survey of unwanted side effects of information security tools by looking at a few more categories of infosec products:

  • Host-based Intrusion Prevention Systems (HIPS) are designed to block malicious actions on the local host, and sometimes overlap in their capabilities and adverse side effects with behavior-monitoring antivirus tools. HIPS typically have a broader scope, looking at logged events, file integrity, exploit detection, etc. They could fail to identify an attack (a false negative) or they could wrongly block a legitimate action (false positive).
  • Log management tools consolidate and report on security events from the various components of the environment. The configuration may fail to capture the necessary events. The tool may also report on events in a way that confuses the analyst. Though log management technologies are often used solely for monitoring, sometimes organizations can trigger defensive actions when a particular pattern is seen in the log. Poorly defining the pattern can deny services to a legitimate entity.
  • Vulnerability management tools can incorporate security patch distribution capabilities, which may fail to distribute the necessary security updates, or may roll out a patch that crashes the system or application. Along these lines, vulnerability scanners may fail to identify missing patches, or may overwhelm the user with irrelevant findings that drown out the meaningful weaknesses that need to be addressed.

Adverse side effects are often seen when organizations update the configuration of the respective security tools, inadvertently introducing changes that break legitimate services or render controls ineffective. In anticipation of this, prepare and follow a practical test plan to validate that a change didn’t disrupt operations or introduce unwanted risks. Similarly, consider what side effects might arise from the initial deployment of the security technology, accounting for them during the purchasing decision and also as part of the roll-out of the tool. Lastly, consider what processes are in place to make it harder for the tools’ users to misinterpret the tool’s output.

Read more in the preceding post…

Related:

— Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more