The frenzy of activity triggered by a network attack requires a new approach to threat management, one that makes the network and its resources a partner in its own defense and allows security and operations groups to work together to resolve the problem.
Routers, switches and more can be allies in protecting the network by leveraging topology information and change procedures provided by a network configuration management system. In combination with threat-detection products such as an intrusion detection systems or security information management (SIM) systems, configuration management systems also offer the ability to document, audit and reverse changes, which is critical to successful protection against network-borne attacks.
To reduce the amount of time you are exposed to a threat, security and network groups must work together to investigate, diagnose, remediate and document problems. However, neither organization has the information, expertise or authority to respond unilaterally. Security focuses on defining and monitoring the policies that protect the organization and on detecting threats or out-of-policy behavior. The network organization primarily ensures that the infrastructure delivers the service levels required and solves problems as they arise. Effective threat response is the combination of the right tools and the right processes that can meld these organizations into a single team.
To start, the security group must decide what its policies are regarding network protection, availability and service level. The organization needs to answer questions such as, "Which users and business processes get priority?" and "What can be sacrificed for the greater good?" These insights help reduce unintended collateral impact of real-time changes to network settings in response to an attack.
With a clear understanding of policy, incident-response processes can be crafted by anticipating and accommodating threat scenarios, the staff's skill level and authority, the need to communicate and document actions taken, and the need to integrate with other organizations, such as the help desk.
Once policies and the associated processes are in place, the network organization uses network configuration management to assemble the information required to make decisions and take action. The group profiles the existing network topology and establishes the value and role of critical servers and users to ensure that policy guidelines and priorities are followed. For example, if you cannot see that the IP address under attack is the payroll server, or cannot see where the payroll server is connected, any network change in response to an attack is guesswork and likely to cause unintended negative consequences.