This article is more than 1 year old
Want security? Next-gen startups show how old practices don't cut it
Stop hackers from walking on the eggshells protecting your datacenter
Automating Incident Response
Enter the startups. Automated incident response is the new hotness in the security world. Think of it as a combination of top notch monitoring software combined with incident response and auditing tools to help network architects devise mitigation plans.
Many of these startups never even make it out of stealth. I know of several that created their software, made presentations to a Fortune 2000 company, and were bought outright on the spot. The tales told are remarkably similar, if depressing. In most cases the Fortune 2000 company in question was less interested in actually applying proper security to their own network than they were preventing their competitors from gaining access to such a useful tool.
Fortunately, there are now at least two companies – Guardicore and Attivo – who are selling their wares in this space openly. I am aware of numerous others looking to come out of stealth in the next 12 months.
Let's take a brief look at Guardicore as an example company in this space. Guardicore has four main pieces: agents that can be deployed to production system, automated honeypot VMs, analysis VMs to crunch the data uncovered, and a management VM to provide a single UI for running the whole shebang.
The honeypot VMs are a neat idea, and the real core of the solution. These VMs run the same services as you run in your data center, except they do it with all the shields down and the security turned off. They then wait for someone or something to try to connect.
What's interesting is that this isn't the end of the utility of that honeypot VM. The honeypots let the attackers in. They record every single thing that the attackers do. This allows datacenter administrators and security researchers to understand how emerging threats work. It also allows the collection of detailed evidence for forensic and legal purposes, which is especially useful when working to deal with internal threats.
It doesn't end there. Agents can be installed on production systems that detect threats as well. These systems can be immediately locked down, with most types of attacks simply prevented outright, or any number of other incident response actions taken automatically, depending on threat type.
These actions needn't simply be shutting a service down. Guardicore can talk to hypervisors, software defined networking (SDN) systems, firewalls, and more to isolate specific attackers while keeping services active, redirect attacks from a live system to a honeypot and more.
There's more, of course. Much more than fits in a general overview, and some of which will require some pretty in depth explanations. The Register will cover this in due time with a full review.
If, however, you are at all concerned that your network's security isn't up to speed, don't wait for that review. Reach out to your security vendor of choice and have a conversation with them about automated incident response. Get as much education on the modern pillars of IT security as you can.
And if, for whatever reason, your security vendor doesn't have the ability to provide you with automated incident response software, it's time to embrace the startup world. Milions upon millions have suffered because of bad security. Don't count on eggshell security to protect your customers.
Or yourself. ®
Biting the hand that feeds IT
