Common Failures of Information Security Tools (Part 1)

Security tools have side effects like medicine. Network firewalls cause connectivity issues; WAFs block legitimate traffic after site updates and are difficult to troubleshoot; antivirus tools may miss malware or falsely flag legitimate files—increasingly likely as vendors shift from signatures to heuristic detection.

We’re used to thinking of medicine in terms of not only its healing power, but also its side effects. We recognize that even a substance designed to support health might affect the body in undesirable ways, especially when interacting with other drugs. This dynamic also applies to the measures we take to maintain and improve information security safeguards: it’s not uncommon for security technologies to have a negative on the environment being protected.

Let’s look at some examples of potential failures of information security tools, so we can anticipate and account for the problems:

• Traditional network firewalls are often blamed for performance and connectivity woes, since they regulate traffic that crosses network boundaries. A firewall rule set can be too open, allowing unnecessary traffic in and out of the environment. The situation that is noticed more often is when the rules are too tight, blocking applications’ components from communicating or preventing the users from accessing needed services.

• Web Application Firewalls (WAFs) typically implement more complex logic to distinguish between legitimate and malicious actions than traditional network firewalls. The protection tends to combine static rules with behavior-monitoring components; moreover, the rules are often customized for individual web applications and can become invalidated after the protected site is updated. For this reason, anticipating and troubleshooting WAF problems can be challenging. This is why organizations may hesitate when switching WAFs from monitoring-only to active blocking mode.

• Antivirus tools are arguably the most mature components of an information security infrastructure. The most common way in which they fail is by considering a malicious file to be benign. They can also sometimes flag legitimate files as malicious, which has been known to not only deny access to applications, but also crash systems. The likelihood of falsely flagging a normal file as malicious might be increasing, as antivirus vendors rely less on static signature-based detection and more on heuristic and behavioral techniques.

Do you have stories of network firewalls, WAFs and antivirus tools failing? Please share the side effects you’ve experienced in the comments to this post. I’d also love to hear your thoughts on mitigating the risks of such adverse reactions to introducing or updating security tools in an enterprise setting. We all have much to learn in this regard.

Continued in a follow-up post…

Related:

• Web Application Firewalls (WAFs) Will Be Ubiquitous
• Antivirus Products Are Like Cold Medicine - Not A Rant
• Pros and Cons of Virtual Patching to Address Vulnerabilities