I was discussing yesterday how to use virtualization and cloud performance management tools as an early warning system for security issues. I have touched on use of New Relic, VMware vFabric APM, Quest vFoglight, and other tools that can make up such a early warning system before, but without the proper process in place, the tools will not be good enough.I use the aforementioned tools day in and day out to peer into my virtual networks and environments to determine what problems exist, and if they are anomalous enough, look at the data from a security perspective. Was I hacked? being the primary question to be asked? But in reality I was following a process to determine when, where, how, and by whom I was attacked and possibly hacked. The process was a series of questions that looked something like this:
- Was there a spike in a certain type of traffic?
- If there was, then determine to or from where that type of traffic arrived?
- Was that site a well-known site or something unknown? This step could require some further scripting if there is a significant amount of data, so your tools need to support export of necessary data for further automated analysis.
- Was the attempt caught by my Web Application Firewall?
- If unknown and not caught was this a hack attempt?
- What files were accessed?
- Where those files modified?
In essence, the questions drill down from the arbitrary traffic data to specifics about the application in question. To properly use Application Performance Management tools as an early warning system it is paramount that you know the following things:
- What is considered normal behaviour
- What comprises your application
- What attacks are available against your application
- Further tools to manipulate the performance management data (if necessary)
In many ways, there is more to this process than just the tools, you need to understand your application well enough to use those tools effectively, to ask the proper questions, and to involve the appropriate people when necessary. Even so, the tools need to have visibility into all aspects of your virtual and cloud environment, that visibility could be an issue within the cloud.
The tools provide the data, how to manage the data is part of your process. A process that should be well documented. As you go into the cloud, add some more questions to your pre-work list such as “can I get visibility to know what is anomalous within my application?” what other tools are necessary to make this happen?
There is business agility now there is a need to have security agility that follows along with the needs of the business.