Flaws in Automated Security Products

Most security products are reactionary.  They respond to an event based off of a signature they already know about.  This in and of itself is not that difficult for a product to do.  Firewalls, anti-virus, intrusion prevention, etc. all use this model.  Some manufacturers tout their products ability to train itself, or to learn about emerging threats.  This model is also flawed.  Network security products can be purchased by an attacker and they can figure out very easily how to bypass this device.  Additionally, the truth is these products do not learn all that quickly. There is a quest in the network security world to find products that can automatically detect and respond to an attack.  When the device or software detects an abnormality in a packet it can perform an action like shut down the firewall port or disable the workstation.  That sounds so cool on paper.  After all don't we love automation?

Blindly following the advice of an autonomous product can be a costly venture.  One of two things will happen.  First, you are putting your trust into a device that can only detect what it knows about.  If the device doesn't know about it nothing will happen.  Think about this from an outsiders perspective.  We know instinctively that Target, Home Depot, K-Mart, and Dairy Queen all had firewalls, AV, and IPS.  Yet they were still hacked and data was extracted from their networks.  The reason is the malware was morphed so the typical automatic tools wouldn't catch it.  These attackers knew what they were doing and found a way to beat the system.  You can finger point all day long if it was a third party or failure of this or that...all of that is irrelevant.  The tools on the network failed.

The second problem with automation is that the device could overreact.  I recall several instances where a client was using a firewall that was set to detect and block malware on a network.  If the device saw strange activity from an internal device it was set to block that device so IT would have to look into the problem.  All of that would be great except the day when they were really busy and the amount of DNS requests was legitimately higher.  The firewall thought it was malware and shut down the DNS server stopping all traffic on the network.  I could name numerous others where an overzealous security product stopped traffic on the network and shut off internet requests for everyone.  The common reaction to this one is to shut off the security product (that statement is typically preceded by a four letter word) and stop using it all together.  Now the network has little to no protection.

Automation and reaction-only based security model is not the key to safe data and will lead companies down a bad road.  I think these products can be used but only in conjunction with human analytics and in a controlled format.  Log management, log review, assessments, and training for the entire company.  Getting real insight and advice on a network is critical to securing your data.  Before submitting your 2015 budgets take a look at what you are spending on these analytical approaches to security and what you are spending on the automated tools (Firewalls, IPS, AV, IDS, Managed Security).  Automation-only isn't working for anyone.