Common Failures of Information Security Tools (Part 1)

We’re used to thinking of medicine in terms of not only its healing power, but also its side effects. We recognize that even a substance designed to support health might affect the body in undesirable ways, especially when interacting with other drugs. This dynamic also applies to the measures we take to maintain and improve information security safeguards: it’s not uncommon for security technologies to have a negative on the environment being protected.

Let’s look at some examples of potential failures of information security tools, so we can anticipate and account for the problems:

  • Traditional network firewalls are often blamed for performance and connectivity woes, since they regulate traffic that crosses network boundaries. A firewall rule set can be too open, allowing unnecessary traffic in and out of the environment. The situation that is noticed more often is when the rules are too tight, blocking applications’ components from communicating or preventing the users from accessing needed services.
  • Web Application Firewalls (WAFs) typically implement more complex logic to distinguish between legitimate and malicious actions than traditional network firewalls. The protection tends to combine static rules with behavior-monitoring components; moreover, the rules are often customized for individual web applications and can become invalidated after the protected site is updated. For this reason, anticipating and troubleshooting WAF problems can be challenging. This is why organizations may hesitate when switching WAFs from monitoring-only to active blocking mode.
  • Antivirus tools are arguably the most mature components of an information security infrastructure. The most common way in which they fail is by considering a malicious file to be benign. They can also sometimes flag legitimate files as malicious, which has been known to not only deny access to applications, but also crash systems. The likelihood of falsely flagging a normal file as malicious might be increasing, as antivirus vendors rely less on static signature-based detection and more on heuristic and behavioral techniques.

Do you have stories of network firewalls, WAFs and antivirus tools failing? Please share the side effects you’ve experienced in the comments to this post. I’d also love to hear your thoughts on mitigating the risks of such adverse reactions to introducing or updating security tools in an enterprise setting. We all have much to learn in this regard.

Continued in a follow-up post…

Related:

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more