Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 51 of 53

Using Good Bots to Your Advantage It is possible to create internally commissioned good bots that can run as daemons in the background on the current and future tech‐ nologies that comprise the various lines of defense. You could use these good bots across the infrastructure that provides device and technology management for one line of defense to learn more about what the other lines of defense do, what they are capable of, or under which current conditions they're operating. Because most technologies have physical, logical, and other limita‐ tions, and when these limitations are close to being exceeded, most technologies will send an alert in the form of an SNMP trap or Syslog message in the hope of alerting their technology operators that a stressed condition exists—and might be increasing. When operators do not take an action that will alleviate the reason for the stressed condition, all sorts of negative repercussions can be experi‐ enced. All technologies have their limitations. For example, if a moderately sized distributed denial-of-service (DDoS) attack is effectively being blocked by an edge router's access control lists (ACLs), but the router's processing limits are about to be exceeded, a good bot perusing the lines of defense could become aware of the situation, alert SOC personnel to act, or even initiate a change on its own to take evasive action. This action could include removing the ACL blocking the attack on the router, letting the attack leak through, and then blocking the attack with the down‐ stream DDoS defenses, instead. Given that the DDoS defenses are the very next line of defense that the traffic will encounter, it can easily be blocked due to resources that this line still has available. This concept can be compared to a fallback maneuver performed by a military whose line of defense is about to be overrun. In this case, all lines of defense can be made aware of any processing limit that's about to be exceeded and can automatically offload (fall‐ back) attack traffic to some other line to ensure that no latency or outage is incurred due to overconsumption of available resources. When thinking about the usage of SML, automation, scripting, and APIs, nearly any idea can be conceivable. 42 | Chapter 5: The Future of Defense in Depth

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth