Why Active Audit?
Why is active audit necessary? Many companies rely on their perimeter security. Perimeter can be breached most of the network and its systems are virtually unprotected.
First, hackers are quite likely to be employees or may have breached the security perimeter through a business partner or a modem. Because they are considered ‘trusted’ they have already breached most network security, such as firewalls, encryption, and authentication. Note: the company network is usually considered the ‘trusted’ network while the Internet is ‘untrusted’. However, with up to 80% of security breaches occurring in the ‘trusted’ network companies may want to rethink their strategies for protecting systems and data.
Second, the defense may be ineffective. Aging, mismanaged security is no match for today’s hacker, who is constantly improving techniques.
Third, most security breaks down due to human error. People make mistakes on programming firewalls, they allow services to the network and forget to turn them off, they are no efficient at changing passwords, they add modems and forget to turn them off — the list goes on and on.
Fourth, the network is always growing and changing, Every change is a new opportunity for the patient hacker, who may spend months or even years waiting for an opening. Firewalls , authorization, and encryption provide policy enforcement, but do not monitor behavior. And with hacking, it is the behavior that is the problem.
These problems can be alleviated by creating a security process that includes visibility into the network.
Network security is often viewed in terms of point security technologies, such as firewalls, authentication and authorization, and encryption. While very necessary to a network defense they do not have the capability to analyze and discover two items essential for network security:
1)User behaviors — are your employees, business partners, and anyone else misusing the network?
2)System vulnerabilities — if a ‘bad guy’ gets into your network, have your systems been secured to lock him out?
This is where a strong firewall gives a false sense of security. You must consider what would happen if your firewall is compromised.
The most effective and security strategy for your network defense includes a ‘defense in depth’ or ‘layered defense’. This includes augmenting your point solutions with dynamic systems that monitor users as they use the network and measure the network resources for changes and vulnerabilities. And these technologies should be used to help better secure the network perimeter as well as the intranet.
Often organizations have a tactical approach to network security and do not treat it with the same importance as network operations. However, more companies today are taking a strategic approach to network security and treating it as part of the network operation. This includes development of processes that constantly measure, monitor and improve the security posture.
Active Audit—Network Vulnerability Assessment
Active Audit is the systematic implementation of the security policy, to actively audit, verify, detect intrusion and anomalies and report findings
For true security policy management enterprise-wide, Active Audit capability must be in place and be applicable for all access ports, devices and media.
Proactive network auditing tools provide preventative maintenance by detecting security weak points before they can be exploited by intruders.
Active Audit—Intrusion Detection System
Intrusion detection tools recognize when the security of the network is in jeopardy. Intrusion detection provides the burglar alarms that notify you in real-time when break-in attempts are detected.
For example, you want to be able to see a bunch of port scans are happening on your system. There’s some IP address that they are originating from. That somebody who could be potentially doing bad things to your network.
You want to be able to watch suspect behavior. You also want to be able to watch things like, hey, does that person in data entry, are they going back into the data warehouse? Are they going into our accounting system?
IDS architecture is going to consist of several different parts. There’s going to be some IDS engine, something that’s analogous to a sniffer that’s watching the line, looking for violations in policy. There’s going to go some security management system, someplace where you give the instructions about what adheres to your security policy and what doesn’t. And there will be kind of real time alarm notification, some way to tell the people within the organization, hey, this is what’s going on in your network. Something bad is about to happen. Something bad is happening. It’s time to take action.