Security analysis and security audits by service providers to determine areas of vulnerability or potential points of exposure are driven by a combination of regulatory compliance requirements and the increasing volume of exploits and attacks. The problem is that comprehensive security audits drain considerable resources and time. There is a dearth of security analysis expertise available to perform critically important audits in a timely, repeatable and cost-effective basis.

In light of this, enterprise demand is increased for secured network services. Service providers and cable operators are diversifying their managed security services and proactively analyzing the products that comprise the offering. A key market development accelerating the viability of managed security auditing services is the emergence of a new class of product called the security analyzer. A security analyzer utilizes a rigorous process, complete with an audit trail and remediation scripts, to located, document and offer all the required reporting to expedite remediation before deploying voice over IP, storage, IP multimedia subsystem or any other IP-based systems and software into production networks.

What is a security audit?
According to the SANS Institute, security audits should have the following goals: 1. Ensure the integrity, confidentiality and availability of information resources. 2. Verify conformance with the organization’s security policy. 3. Investigate possible security incidents. 4. Monitor user or system activity.

Although security audits vary significantly in their scope and style, all endeavor to assess the information security provisions embodied in the first point of the SANS Institute list: Do the security provisions ensure the integrity and confidentiality (or privacy) of information while making that information available to authorized users?

The security audit normally involves a mix of interviews, inspections and tests--any of which is capable of producing either subjective and/or objective results. Interviews, for example, assess how well employees understand and comply with the security policy. Inspections often reveal what interviews fail to find: intentional or unintentional violations of the security policy, such as posting passwords on notes taped to PCs or copying sensitive files to laptops, which are later removed from the protected premises.

To overcome the somewhat subjective nature of interviews and inspections, organizations now employ first-generation testing tools and techniques. Two of the most popular tools include vulnerability assessment (VA) scanners and penetration testing tools. Unfortunately, the results generated by these tools vary dramatically, with critical known and 0-day (previously unknown) vulnerabilities often going undetected. VA scanners typically check for a small subset of only known vulnerabilities, usually by checking the version of the software/hardware. In order to be as non-intrusive as possible, VA scanners typically do not launch the actual vulnerability trigger. Penetration testing focuses on a much smaller set of exploitable attacks and does little or nothing to detect denial of service and information leakage vulnerabilities.

Improving security audits with security analysis
A security analyzer is a purpose-built appliance utilizing a systematic and repeatable process to identify 0-day and published security vulnerabilities in any IP-based system, application or network device. This systematic and repeatable process (complete with structured data outputs of reports, packet captures and even vulnerability recordings) makes security analysis ideally suited to security audits.

The systematic security analysis process follows three steps. The first subjects the target system or software to an onslaught of attacks that emulate the myriad vulnerability discovery techniques hackers utilize. The more advanced security analyzers offer their own comprehensive suite of attack vectors, particularly in the area of protocol abuse that now accounts for some 80% of successful attacks.

The second step involves continuously monitoring and recording the results of the analysis to identify user-defined fault conditions. The monitor's task is to automatically collect all relevant information required to identify the precise set of stateless or stateful conditions that caused a fault--information that is essential for remediation. Ports on the security analyzer appliance are used to monitor the device or application in-band or out-of-band.

The third step is the start-to-finish management of the security audit. Because security analyzers commonly reveal robustness issues and/or vulnerabilities, and because many of these vulnerabilities cause the target system to crash or lock up (often the intended consequence of a malicious attack), some means must be provided to allow the analysis to finish.

The security analyzer has two major advantages over manual completion or point-products used for security audits. The first is its ability to thoroughly assess exposures to both known and previously unknown vulnerabilities in any IP-based product without source code access or deployment in a production network. Analyzers are used to evaluate systems off-line with different configurations or settings, potentially as part of a vendor audit or selection process. Vendor patches or updates can also be assessed for security readiness before being installed in systems running live on the network.

The second major advantage is the ability of virtually anyone--security experts and non-experts alike--to use the automated security analyzer in a security audit. The security analyzer is easier for non-experts to use than vulnerability scanners that audit only for known attacks with published patches, or source code analyzers that target common programming errors, and not exploitable network-based vulnerabilities. Security experts and specialists often require granular control of an audit and, therefore, appreciate the ability to customize the security analyzer’s operation. These customizations include applying internally developed suites of mutations, or integrating external attack vectors, test beds and vulnerability triggers. All of these can be automated through a security analyzer and are included in the audit’s monitoring, logging and report generation processes.

Making the security analysis lifecycle part of the security audit
The security audit and security policy are normally considered to have a cyclical relationship. The audit measures positive attributes of the policy, including how well it is being applied. Deficiencies require changes to the policy, which necessitates another audit to assess the effectiveness of the new policy. And so the cycle continues.

This security analysis lifecycle pertains to all the various systems and software products that together constitute the organization’s information resources--all of which is ultimately within the scope of the security audit. The advantage of including a security analysis lifecycle as part of the security audit is that it reinforces the security policy with a rigorous and repeatable business process that prevents information corruption.

For example, a new vulnerability detected by the security analyzer during a routine software upgrade or patch cycle can be reported to the vendor or in-house development team for remediation. If the vulnerability is severe enough, a fix may be required before the updated system or software is placed into production. In this way, the organization has an effective methodology for becoming more proactive by mitigating vulnerabilities to preempt their potentially devastating consequences.

Conclusion
Security analyzers and the security analysis lifecycle combine to make security audits easier, more effective and less costly. In fact, the objectives of the security analyzer and the security audit are virtually identical: Better security provided consistently and more cost-effectively. The security analyzer holds the potential to move the industry from its current reactive and difficult-to-replicate mode to a proactive and fully preemptive approach for proactively protecting information resources.

Armed with security analyzers, managed service providers can thoroughly assess exposures to known and previously unknown vulnerabilities in any IP-based system or application and can audit all equipment and software in a lab environment rather than in the production network. And by automating security analysis with detailed reporting, the auditing process can be simplified substantially. By using audit trails and remediation scripts, managed service providers will be armed to preemptively mitigate vulnerabilities while offloading overworked in-house IT resources.

Kowsik Guruswamy is co-founder and chief technology officer of Mu Security. Prior to founding Mu, he was a distinguished engineer at Juniper Networks and the chief architect for the Intrusion Prevention product line. Kowsik joined Juniper Networks through the acquisition of NetScreen/OneSecure, where he designed and designed the first inline Intrusion Prevention device. He holds eight patents in various networking and security technologies and has a master’s degree in Computer Science from University of Louisiana.