Login  |  Register  |  Contact

ADMP and Assessment

Application and Database Monitoring and Protection. ADMP for short.

In Rich's previous post, under "Enter ADMP", he discussed coordination of security applications to help address security issues. They may gather data in different ways, from different segments within the IT infrastructure, and cooperate with other applications based upon the information they have gathered or gleaned from analysis. What is being described is not shoving every service into an appliance for one stop shopping; that is decidedly not what we are getting at. Conceptually it is far closer to DLP 'suites' that offer endpoint and network security, with consolidated policy management.

Rich has been driving this discussion for some time, but the concept is not yet fully evolved. We are both advocates and see this as a natural evolution to application security products. Oddly, Rich and I very seldom discuss the details prior to posting, and this topic is no exception. I wanted to discuss a couple items I believe should be included under the ADMP umbrella, namely Assessment and Discovery. Assessment and Discovery can automatically seed monitoring products with what to monitor, and cooperate with their policy set.

Thus far the focus through a majority of our posts has been monitoring and protection, as in active protection, for ADMP. It reflects a primary area of interest for us as well as what we perceive as the core value for customers. The cooperation between monitored points within the infrastructure, both for collected data and the resulting data analysis, represents a step forward and can increase the effectiveness of each monitoring point. Vendors such as Imperva are taking steps into this type of strategy, specifically for tracking how a user's web activity maps to the back end infrastructure. I imagine they will come up with more creative uses for this deployment topology in the future.

Here I am driving at the cooperation between preventative (assessment and discovery in this context) and detective (monitoring) controls. Or more precisely, how monitoring and various types of assessment and discovery can cooperate to make the entire offering more efficient and effective. And when I talk about assessment, I am not talking about a network port scan to guess what applications and versions are running- but rather active interrogation and/or inspection of the application. And for discovery, not just the location of servers and applications, but a more thorough investigation of content, configuration and functions.

Over the last four years I have advocated discovery, assessment and then monitoring, in that order. Discover what assets I have, assess what my known weaknesses are, and then fix what I can. I would then turn on monitoring for generic threats I that concern me, but also tune my monitoring polices to accommodate weaknesses in my configuration. My assumption is that there will always be vulnerabilities which monitoring will assist with controlling. But with application platforms- particularly databases- most firms are not and cannot be fully compliant with best practices and still offer the business processing functions the database is intended for. Typically weaknesses in security that are going to remain part of the daily operation of the applications and databases require some specific setting or module that is just not that secure.

I know that there are some who disagree with this; Bruce Schneier has advocated for a long time that "Monitor First" is the correct approach. My feeling is that IT is a little different, and (adapting his analogy) I may not know where all of the valuables are stored, and I may not know what the type of alarm is needed to protect the safe. I can discover a lot from monitoring, and it allows me to witness both behavior and method during an attack, and use that to my advantage in the future. Assessment can provide tremendous value in terms of knowing what and how to protect, and it can do so prior to an attack. Most assessment and discovery tools are run periodically; while they may not be continuous, nor designed to find threats in real time, they are still not a "set and forget" part of security. They are best run periodically to account for the fluid nature of IT systems.

I would add assessment of web applications, databases, and traditional enterprise application into this equation. Some of the web application assessment vendors have announced their ability to cooperate with WAF solutions, as WhiteHat Security has done with F5. Augmenting monitoring/WAF is a very good idea IMO, both in terms of coping with the limitations inherent to assessment of live web applications without causing disaster, but also the impossibility of getting complete coverage of all possible generated content. Being able to shield known limitations of the application, due either to design or patching delay, is a good example of the value here.

In the same way, many back-end application platforms provide functionality that is relied upon for business processing that is less than secure. These might be things like database links or insecure network 'listener' configurations, which cannot be immediately resolved, either due to business continuity or timing constraints. An assessment platform (or even a policy management tool, but more on that later) or a rummage through database tables looking for personaly identifiable information, which is then fed to a database monitoring solution, can help deal with such difficult situations. Interrogation of the database reveals the weakness or sensitive information, and the result set is fed to the monitoring tool to check for inappropriate use of the feature or access to the data. I have covered many of these business drivers in a previous post on Database Vulnerability Assessment. And it is very much for these drivers like PCI that I believe the coupling of assessment with monitoring and auditing is so powerful- the applications help compensate for each another, enabling each to do what it is best at, passing off coverage of areas where they are less effective.

Next up, I want to talk about policy formats, the ability to construct policies that apply to multiple platforms, and how to include result handling.

—Adrian

Posted at Thursday 10th July 2008 11:17 am Filed under: admpapp securityassessmentcontent discoverydatabasewaf

Previous entry: More On The DNS Vulnerability | | Next entry: Google AdWords

Comments:

By Ted J  on  07/21  at  01:34 AM

You’‘ve nailed it with this post, Adrian.  Frankly I think customers are far more likely to reap benefits from creating synergy across processes that relate to the same IT assets (in the case of this post, across discovery, assessment, and monitoring for databases) than they are for similar processes across different IT assets (monitoring across WAF and DAM).  Mainly this is true because a more coherent group of people are involved and it’s easier to set policy.  But I also think it’s very hard for a single vendor to effectively span these functions across multiple components (do a credible job with monitoring at the both the database and the WAF).  This will remain the case, anyway, at least until these functions commoditize and collapse into other functions, but that is several years away.  Speaking of that consolidation, I for one think these disparate components will collapse into categories based on sharing similar users, functions, and location in the infrastructure.  As such, I’‘d bet on the WAF (for example) getting added to the next-gen firewall / security gateway and I don’‘t think that solution will be the same one that does database and/or packaged app security.

By Adrian  on  07/21  at  05:30 AM

Thanks for the compliment.  And I do agree, at least in the short term, that there will be more value derived from a single IT asset convergence. Both in a sense that it is a little easier to cope with the threat models, as well as getting expertise under one product vendor ‘‘roof’’ to build credible solutions.  But that is the real trick with ADMP is to look at the problem a little more holistically and marry dissimilar security apps.  And one of the other reasons why I like the policy model ... how it get’s mapped to the infrastructure is not just the product vendor challenge.

Your comment on WAF is worth further review.  Are DAM and WAF on different evolutionary trajectories? I think the answer is ‘‘yes’‘, which leads me to the question of ‘‘why’‘.  More to come on that one.

Page 1 of 1 pages

Name:

Email:

Location:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: