Suspected Intrusions - To Block or Not to Block?

Earlier this week I was at an excellent CISO dinner at the Capital Club hosted by Dr Steve Moyle of Secerno. For those of you who haven’t come across Secerno, they’re one of Oxford University’s finest innovations. Steve is a real authority on database security and he’s developed an impressive solution to SQL injection and other database attacks. It’s very well regarded by companies that have looked at it.

One of the interesting conversations was whether security technology should block or alert on suspected intrusions. It’s a difficult call. Intrusion prevention systems are heavily promoted as the contemporary successor to intrusion detection systems. But it’s clear that many large top companies have yet to take the plunge, preferring to think first before closing down access attempts.

In fact there is no absolute answer. It depends on the level of confidence you have in your security technology and its ability to differentiate users from attackers. And that’s a moving target, as business connectivity grows and new technology emerges. In today’s virtual business environment where many of your IT users are not company employees, it’s getting harder to tell the difference between the bad guys and the legitimate users. Blocking is always safer from a security perspective but mistakes can be damaging to business. Monitoring is a useful compensating control but it’s potentially resource-intensive and alerts can be overlooked at busy times. But generally it’s all down to the reliability of the security technology, which is why I was interested to hear that at least one early adopter of Secerno’s technology has plumped for full blocking of detected anomalies from day one.

So what is best practice in this area? In my view it depends on whether you’ve experienced a serious attack. If you have you’ll be under management pressure to close down potential attack vectors. If it’s a DDOS attack you’ll certainly have an IPS system in place, ready for action in the event of a future incident But the action is now moving to database security. That’s the new target for identity theft and it requires new thinking and technology. CISOs have to get to grips with database security. It’s an area long overdue for attention. And one where the stakes can be very high if you don’t strike the right balance between business demands and prudent security.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

You've hit the nail on the head, as usual. Attitudes are often different subsequent to an event however, that's when knee-jerk reactions are most likely to result in more work and effort than is really necessary. The main disadvantage of IDS is, of course, it requires continual monitoring, and reactions might be too late to prevent the attack. IPS, on the other hand will (should) prevent the attack but as you rightly say, might also block legitimate access. The answer is clear. Block - implement IPS as the solution. Better to block something in error but have a means to subsequently provide access - i.e. by lifting that particular restriction once it is known that the access request is legitimate - than allow potentially malicious traffic through the net.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close