A disreputable person enters a bank and walks up to the teller and presents a note asking for the teller to give them all the money. The well trained teller, sets off an alarm, scaring the would-be thief and he runs out of the bank. The budding criminal walks to another branch of the same bank. He walks in and attempts to do the same thing. As long as he is able to avoid the pursuit, the felon-in-training can repeat this process until he is successful. The future outlaw might even make some adjustments before his next attempt to increase his chance of success.
The Roman poet, Ovid, once said ‘Dripping water hollows out stone, not through force but through persistence.’ This is one of the key issues with application security today. A potential hacker can repeatedly attack an application or website. Eventually, with enough persistence, the hacker will find a weakness in the network and application security defenses. There is always a weakness or vulnerability that can be exploited given the time and resources to find it.
Security is a smorgasbord
The problem is not the fact that our security models cannot detect and block threats. The issue is that multiple technologies are deployed at different layers in the OSI model as well as the network architecture. These technologies are usually managed as self-contained entities. The router access control lists (ACL) do not interact with the traditional firewall permit/deny policies. The intrusion prevention system (IPS) does not know what the web application firewall (WAF) is detecting or blocking.
Often, these solutions are delivered from different vendors and managed by separate IT teams, meaning that there is no desire, let alone, need, to interoperate. Unfortunately, as the CISO will tell you, security is an issue that needs to be dealt with holistically in an orchestrated manner.
Profiling can be good
Going back to our dauntless brigand and our bank, what if the bank could collect information from the various security systems? They collect video from the surveillance cameras, fingerprints from the counter tops or the robbery note, and even DNA from the stray hair that falls out of their prematurely balding head. Now the bank takes this information and shares it with all of their branch offices.
The next time the fearless lawbreaker attempts to enter one of the bank’s branches, they are identified from one or more of these signatures and they are not even allowed in the bank. In addition, law enforcement is automatically alerted to their location for a potential arrest.
Unified security infrastructure
This is what it means to have a unified IT security infrastructure. The different components are able to detect and enforce the policies at a global and holistic level. Just because the detection is occurring at one point in the network does not mean that the ongoing mitigation should happen at that same point.
There must be a distributed system that can detect the threats at various levels of complexity. These distributed components require a framework to deliver centralized visibility into the health of the network from a security and application delivery perspective. To optimize the mitigation controls, a defense messaging standard must be defined to enable the sharing of information across different platforms.
As I mentioned previously, the ADC is inherently a security detection and enforcement point in the network. The ADC is responsible for applying application-aware, client-aware, content-aware, and session-aware security policies to detect and mitigate threats.
But just like the bank teller, it makes sense for the ADC to collect information about the application level attack that was detected and share that information with a perimeter security solution so that future attacks with that profile can be blocked from even entering the network.