Common Failures of Information Security Tools (Part 2)

In an earlier note I discussed some of the ways in which network firewalls, WAFs and antivirus technologies can fail, despite the best intentions of their creators and operators. I’d like to continue the survey of unwanted side effects of information security tools by looking at a few more categories of infosec products:

  • Host-based Intrusion Prevention Systems (HIPS) are designed to block malicious actions on the local host, and sometimes overlap in their capabilities and adverse side effects with behavior-monitoring antivirus tools. HIPS typically have a broader scope, looking at logged events, file integrity, exploit detection, etc. They could fail to identify an attack (a false negative) or they could wrongly block a legitimate action (false positive).
  • Log management tools consolidate and report on security events from the various components of the environment. The configuration may fail to capture the necessary events. The tool may also report on events in a way that confuses the analyst. Though log management technologies are often used solely for monitoring, sometimes organizations can trigger defensive actions when a particular pattern is seen in the log. Poorly defining the pattern can deny services to a legitimate entity.
  • Vulnerability management tools can incorporate security patch distribution capabilities, which may fail to distribute the necessary security updates, or may roll out a patch that crashes the system or application. Along these lines, vulnerability scanners may fail to identify missing patches, or may overwhelm the user with irrelevant findings that drown out the meaningful weaknesses that need to be addressed.

Adverse side effects are often seen when organizations update the configuration of the respective security tools, inadvertently introducing changes that break legitimate services or render controls ineffective. In anticipation of this, prepare and follow a practical test plan to validate that a change didn’t disrupt operations or introduce unwanted risks. Similarly, consider what side effects might arise from the initial deployment of the security technology, accounting for them during the purchasing decision and also as part of the roll-out of the tool. Lastly, consider what processes are in place to make it harder for the tools’ users to misinterpret the tool’s output.

Read more in the preceding post…


— Lenny Zeltser


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more