You can’t manage what you can’t see!

By | January 5, 2006

Security threats have grown more menacing with the appearance of the likes of Sober, Mytob, and Bagle. Along with the newer trends of spyware, phishing and key logging the implications of ineffective information security have become potentially debilitating to business operations and indeed strategy.

Such attacks represent an increasing risk to an enterprise, as information is compromised or floods of malicious traffic clog networks and bring mission-critical business systems, processes and procedures to a standstill.

There is a wealth of tools available to help protect the enterprise from security threats. Firewalls, virtual private networks, strong user authentication, encryption, intrusion detection/prevention systems (IDS/IPS), email filters, antivirus, vulnerability scanners are all options. Each of these point solutions is capable of addressing a specific element of the security mosaic. In order to address their limitations many enterprises attempt to aggregate these solutions in a futile attempt to achieve effective IT security.

In isolation or even together, however, these tools are ineffective against unknown, targeted or blended attacks. That is to say, a previously undefined exploit requires the vendor to develop a system security patch, during which time, the undefined attack will propagate, unchecked, throughout the enterprise. If this happens to be your network your enterprise will be on the security front line – open to virus and hacker attacks and unable to maintain normal business activity. From a corporate governance standpoint, this lack of security control is simply unacceptable.

The downside of this deterministic or signature-based approach is that it is increasingly difficult to track, let alone manage the volumes of alerts coming daily from multiple sources. Corporate governance, however, demands that these alerts are managed using formal and auditable IT risk management processes with timely and meaningful security outcomes.

The corollary being that in an increasingly complex and networked world the risks to the enterprise have become increasingly debilitating and while the fundamentals of managing these risks have changed little.

Insight through analysis: a better approach

Too little protection or too much protection: today’s security solutions fall short either way. Experience demonstrates that an ideal security solution is one that permits network communications between enterprises while protecting against security breaches as they happen; regardless of whether the breach is familiar or not. Existing technologies cannot deliver this level of intelligence.

Microsoft Chairman, Bill Gates, introduced a vision called Adaptive Protective Technology (A.P.T.), which would, in the future, create networks that continually monitor network activity and respond in real-time to unexpected changes in behaviour.

Gartner Vice President of Security Research, John Pescatore, confirmed the validity of the vision by noting that A.P.T. is the only way to detect and prevent unknown attacks. “Rather than the cycle of attack and patch which invariably leaves the hacker the winner, A.P.T. shields the enterprise and prevents attacks, to which the enterprise is vulnerable, from entering the system,” he said. “A.P.T. effectively blocks suspicious activity before it wreaks havoc across the enterprise.

A next generation threat management system now delivers A.P.T. through the use of hybrid Behavioural Anomaly Detection (B.A.D.) technology. With a number of successful deployments within high volume, mission-critical enterprises the system is able to instantly identify and respond to unusual or unfamiliar system behaviour. B.A.D. operates by first observing the enterprise network (including operating system and application activity) to establish a baseline of activity on the ICT infrastructure.

This non-deterministic system continually gathers data from multiple sources in the network and relays that data back to a quantitative decision engine for analysis and response. This response is based on measures of the relationships between events occurring at different OSI levels, on assessment of the threat severity and the priority of the assets under threat. This allows for automated monitoring of enterprise traffic and the instant detection of unusual or non-compliant events.

When internal misuse or an external breach is detected, the technology can instantly respond to lock user accounts, stop and start processes, or execute any command line script or executable according to a predefined script. For example, if a Denial of Service (DoS) attack is detected it can instantly reconfigure the firewall to block the source IP address or subnet.

B.A.D. technology is equally adept at pinpointing other breaches such as fraud, buffer overflows, worms and reconnaissance.

This anomaly-based behavioural approach to IT system activity is unique in its ability to permit normal or familiar traffic to transit the network and yet be able to identify unrecognised or non-compliant behaviour. Unlike deterministic solutions this new approach is, by design, measurably more effective at identifying and responding to potential threats before they become a problem.

The implications of this are significant. For example, an employee takes a laptop home and gets it infected with a new variant of a fast-spreading worm like NetSky or Sober. If the attack signatures on that laptop have not been updated, the worm will propagate within the unit. When that laptop re-connects to the enterprise network, the attack may traverse the firewall and wreak havoc. Without B.A.D. technology to respond to unusual traffic across the outbound mail IP port the malicious behaviour may continue for minutes or hours, until an appropriate virus definition update has been sourced and the network patched. Conversely, using the B.A.D. threat management system the enterprise can protect against catastrophic damage, loss of data, intellectual property or reputation, costly clean-ups or even a breach of the law.

True IT Threat Management

As this A.P.T system is device/OS/application-agnostic it can baseline activity and process alerts from any type of log-based or agent-installed source. This approach delivers a potent first line of defense providing coverage of the enterprise network. By refining alerting rules and allowing the software to continually learn from system activity users can deploy B.A.D. technology to control their IT security practices – providing robust and effective IT threat management protecting the enterprise with a minimum of effort and expense.

Leave a Reply