Hazardous safety
Hello dear habrazhitel, I recently thought about the applicability of various services in the field of information security and that's what happened.
Currently, many developers offer centralized solutions to monitor the state of information security and detect malicious (hacker) activity in the information systems of companies and organizations of the following nature:
Similar products are available from Cisco (Sourcefire) , Check Point, Palo Alto Networks, and Symantec .
In this approach, there are, of course, significant advantages:
But there are also disadvantages from implementing this approach. No, this is not a weakness of the technology or its practical implementation. The main minus is the dependence of the consumer of the service on the decision made by the service provider to consider this or that event as an incident or as an ordinary event . In addition, the supplier may be interested in “suppressing” individual incidents by intent or coercion. I would like to note that all these products are offered mainly by foreign vendors. Given the current foreign policy situation and possible sanctions against our country, there are significant risks in the implementation of these decisions.
These risks include:
In the light of the material presented, it is worth paying attention to the unequivocal interest of domestic vendors in the development of such solutions. But some decisions of domestic developers rely, unfortunately, rely nevertheless on servers and decision centers located " abroad ". And this approach does not remove the previously indicated risks. Therefore, of particular interest to consumers of this kind of information security services will logically be domestic suppliers who use their own event processing and analysis centers in the Russian Federation.
In conclusion, I would like to note that so far this direction has not been developed by domestic companies. There are reasons for this :
Although, in essence, such decisions are quite “convenient” for a single company as a means of closing most of the threats to information security to its resources, which do not require significant costs for the company to constantly maintain its information resources in a secure state.
Currently, many developers offer centralized solutions to monitor the state of information security and detect malicious (hacker) activity in the information systems of companies and organizations of the following nature:
- the consumer of the service installs a device that acts as an agent that collects information about all events in the information system (completely or selectively, depends on the decision) of the company, as necessary, devices can be supplemented by software agents installed directly on IT infrastructure components;
- the received information is transmitted to the server of the company providing the service;
- on the company's servers, using the organization’s knowledge base and the experience of its specialists, malicious (hacker) activity, as well as events that may cause negative consequences for the service consumer’s company, are allocated from the entire amount of information, then these incidents are analyzed;
- in real time, the consumer is provided with services to eliminate the consequences or counter identified threats.
Similar products are available from Cisco (Sourcefire) , Check Point, Palo Alto Networks, and Symantec .
In this approach, there are, of course, significant advantages:
- the consumer of the service does not need to thoroughly understand all the nuances of the problem of ensuring information security, he immediately gets a ready-made solution, and practically does not spend money on maintaining its performance (clearly lower maintenance costs for IS personnel; by paying once the consumer receives a ready-made set of tools and technologies, and I’m not forced to buy new elements all the time (well, only the costs of updating the solution and technical support);
- convenient increase and scaling of the functionality of such a service. Depending on the needs, the Customer can expand the service for monitoring and responding to the necessary components of IT infrastructure. The customer’s task is to say “I want”, and competent companies will propose options for solving this problem. In this regard, the increasingly tight integration of security tools and systems among themselves plays into the hands of the service provider and speeds up the implementation process.
- a company providing such a service should definitely have an extensive knowledge base and analysis of incidents in the field of information security, in addition, its staff includes specialists whose level of training and practical skills allow them to competently respond to various violations of information security requirements and the actions of hackers and the service consumer does not need to have a significant number of employees investigating information security incidents and developing measures to counteract the actions of violators.
But there are also disadvantages from implementing this approach. No, this is not a weakness of the technology or its practical implementation. The main minus is the dependence of the consumer of the service on the decision made by the service provider to consider this or that event as an incident or as an ordinary event . In addition, the supplier may be interested in “suppressing” individual incidents by intent or coercion. I would like to note that all these products are offered mainly by foreign vendors. Given the current foreign policy situation and possible sanctions against our country, there are significant risks in the implementation of these decisions.
These risks include:
- deliberate "suppression" of information security incidents identified by the service provider or their misinterpretation;
- setting agents to monitor events that do not pose a serious danger to the company's business processes due to either a negligent attitude to work or a reluctance to delve deeply into the organization of the Customer’s work, and the desire to quickly stamp template solutions;
- misleading the consumer of the service about the danger to his information resources during the implementation of one or another incident and / or event identified by the agent;
- There is a question of trust in the service provider. This question can be expressed both in ensuring confidentiality, and in ensuring the availability of services. The customer must be sure that information on his incidents does not, under any circumstances, fall into third parties. And, often, companies don’t have enough “paper” in which the supplier undertakes to ensure the complete integrity of the data, recent events in the world, namely sanctions against Russia and information published by E. Snowden, make you think about the value of such “pieces of paper”. Also, the Customer must be sure that the incident handling system will be available and in working condition 24/7. The fact that it is not possible to monitor performance can push companies away from such services;
- the malicious impact on the information system of the consumer of the service using the functionality of the introduced agents.
In the light of the material presented, it is worth paying attention to the unequivocal interest of domestic vendors in the development of such solutions. But some decisions of domestic developers rely, unfortunately, rely nevertheless on servers and decision centers located " abroad ". And this approach does not remove the previously indicated risks. Therefore, of particular interest to consumers of this kind of information security services will logically be domestic suppliers who use their own event processing and analysis centers in the Russian Federation.
In conclusion, I would like to note that so far this direction has not been developed by domestic companies. There are reasons for this :
- most companies working with the public sector show little interest in this area of activity. Their work "revolves" in terms of fulfilling information security requirements defined by regulators, and the guidance documents practically do not describe such an approach to ensuring information security and there is no requirement to build such an interaction system;
- most domestic solutions, including certified ones, are designed to timely identify the prerequisites for incidents (various types of vulnerabilities); they do not implement the full cycle of incident management actions;
- small and medium-sized companies often lack any interest at all in ensuring information security until the company suffers significant financial losses due to the actions of violators;
- large companies that might be interested in such projects are often " embarrassed " to disclose their information security incidents to outsiders, or, taking into account the participation of foreign incident information centers, are in no hurry to deploy such solutions.
Although, in essence, such decisions are quite “convenient” for a single company as a means of closing most of the threats to information security to its resources, which do not require significant costs for the company to constantly maintain its information resources in a secure state.