Dangerous security

Hello dear habrazhiteli, recently thought about the applicability of various services in the field of information security and that's what happened.

Currently, many developers offer centralized solutions for monitoring the state of information security and identifying malicious (hacker) activity in the information systems of companies and organizations of the following nature:

• a service consumer installs a device acting as an agent that collects information about all events in the information system (completely or selectively, depending on the solution) of the company; as required, the devices can be supplemented with software agents installed directly on the components of the IT infrastructure;
• the received information is transmitted to the server of the company providing the service;
• on the company's servers, using the organization's knowledge base and the experience of its specialists, malicious (hacker) activity is highlighted from the entire volume of information, as well as events that may cause negative consequences for the consumer’s company, then these incidents are analyzed;
• Real-time consumer services are provided in the aftermath or response to identified threats.

Cisco (Sourcefire) , Check Point, Palo Alto Networks and Symantec have similar products.

In this approach, there are, of course, significant advantages:

• the consumer of the service does not need to thoroughly understand all the nuances of information security issues, he immediately receives a ready-made solution, and practically does not spend money on supporting his efficiency (uniquely lower maintenance costs for information security personnel; paying once the consumer receives a ready-made set of tools and technologies, and I do not have to buy all the time new and new elements (well, just the cost of updating the solution and technical support);
• convenient increase and scaling of the functionality of such a service. Depending on the needs, the Customer can expand the monitoring and response service to the necessary components of the IT infrastructure. The Customer’s task is to say “I want”, and competent companies will propose solutions to this task. In this regard, the increasingly tight integration of protection tools and systems among themselves plays into the hands of the service provider and accelerates the implementation process.
• A company providing such a service should definitely have an extensive knowledge base and analysis of information security incidents. In addition, its staff includes specialists whose level of training and practical skills allow them to competently respond to certain violations of information security requirements and hackers and There is no need for a service consumer to maintain a significant number of employees in its staff who investigate information security incidents and develop measures to counteract the actions of violators.

But there are also disadvantages from the implementation of this approach. No, this is not a weakness of the technology or its practical implementation. The main disadvantage is the dependence of the service consumer on the decision taken by the service provider, how to treat an event, as an incident or as an ordinary event . In addition, the supplier may be interested in "hushing up" individual incidents by design or by coercion. I would like to note that all these products are offered mainly by foreign vendors. Considering the current foreign policy situation and possible sanctions against our country, there are significant risks in the implementation of these decisions.

These risks include:

• intentionally “hushing up” of information security incidents identified by the service provider or their misinterpretation;
• setting agents to monitor events that do not pose a serious danger to the company's business processes due to either negligence or unwillingness to delve deeply into the organization of the Customer’s work, and the desire to quickly stamp out template solutions;
• misleading a consumer of a service about the danger to its information resources in the course of the implementation of an incident or event identified by the agent;
• there is a question of trust in the service provider This question can be expressed both in ensuring confidentiality and in ensuring the availability of the service. The customer must be sure that information about his incidents will not fall into third hands under any circumstances. And, often, companies do not have enough “papers” in which the supplier undertakes to ensure the complete inviolability of the data, recent events in the world, namely sanctions against Russia and information published by E. Snowden, make us think about the value of such “papers”. Also, the Customer must be sure that the incident handling system will be available and in working condition 24/7. The fact that it is impossible to monitor the performance can repel companies from such services;
• rendering a malicious influence on the information system of the service consumer using the functionality of the implemented agents.

')
In the light of the material presented, one should pay attention to the unequivocal interest of domestic vendors in the development of such solutions. But some decisions of domestic developers rely, unfortunately, still rely on servers and decision-making centers that are " abroad ." And this approach does not remove the previously mentioned risks. Therefore, domestic suppliers using their own event processing and analysis centers in the Russian Federation will logically be of particular interest to consumers of this kind of information security services.

In conclusion, I would like to note that domestic companies while this direction is developing slightly. There are reasons for this :

1. Most companies working with the public sector show little interest in this area of ​​activity. Their work "rotates" in terms of meeting the requirements for information security defined by regulators, and in the governing documents such an approach to information security is practically not described and there are no requirements for building such an interaction system;
2. most domestic solutions, including those certified, are designed to timely identify the prerequisites for the occurrence of incidents (various types of vulnerabilities), they do not implement the full cycle of incident management actions;
3. small and medium-sized companies often lack any interest in ensuring information security until such time as the company incurs tangible financial losses due to the actions of violators;
4. Large companies that might be interested in such projects are often “ shy ” to disclose their information security incidents to outsiders, or, taking into account the participation of foreign information processing centers about incidents, are not in a hurry to deploy such solutions.

Although in essence, such solutions are quite “convenient” for an individual company as a means of closing most of the information security threats to its resources, which do not require the company to incur significant costs in maintaining its information resources in a secure state.