Threat defense: Adapting security to looming challenges

Mahesh Gupta, Business Development Manager, Network Security, Cisco India & SAARC

The year 2007 was characterized by unprecedented innovation and adaptability in the realm of security threats, as criminals once again demonstrated their ability to continually evolve attack strategies to keep ahead of even the most advanced human and technical defenses.

Rogue developers create such threats by using worms, viruses, or application-embedded attacks. Botnets can be used to seed an attack, for example, rogue developers can use worms or application-embedded attacks, that is an attack that is hidden within application traffic such as web traffic or peer-to-peer shared files, to deposit "Trojans". This combination of attack techniques - a virus or worm used to deposit a Trojan, for example-is relatively new and is known as a blended attack. A blended attack can also occur in phases: an initial attack of a virus with a Trojan that might open up an unsecured port on a computer, disable an access control list (ACL), or disarm antivirus software, with the goal of a more devastating attack to follow soon after.

The evolving perimeter

Changes in network architectures and evolving threats create new security challenges. Also the concept of the network perimeter is changing. In the past, users could only access the network through a few ingress or egress points-usually where the Internet connected to the enterprise network. Enterprises stacked security at the Internet perimeter using firewalls and intrusion detection systems. However today, many more means of gaining entry to the network exist. With the perimeter having been extended and distributed, security too needs to be applied at each of these new ingress and egress points to avoid damaging threats, thus complicating security architectures.

Take for example Virtual Private Networks (VPNs). These allow enterprise users remote access to the corporate network and are much more widely used than just a few years ago. While previously enterprises might have insisted that VPN software run on a specific enterprise-configured computer, today users run VPNs from their own PCs or even from kiosks at copy centers or other businesses. This phenomenon allows many more entryways to the enterprise network and presents a significant challenge to IT departments. Is the computer equipped with virus protection? Are visitors/employees bringing their non-corporate assets into corporate network? Day Zero protection for known vulnerabilities while AV signatures are not available...and further to know if a worm become embedded in any of the existing applications in the server, desktop or laptop computer in their network?

Or for that matter, let’s look at Wireless, Wireless LANs (WLANs) pose additional security challenges. Users operating on an unsecured wireless network at a local coffee house may be unaware that a rogue PC, also using the same wireless subnet, is depositing a virus on the PC. When that PC is later docked into the corporate network, the virus/Trojan could gain entry to the network.

Security - the reverse Moore’s Law

At the same time, as the network is becoming more vulnerable to attack because of the evolving perimeter, the threats themselves are changing. In addition to Trojans and botnets, newer, even more dangerous threats lurk. Two of the most troublesome are flash threats and self-mutating worms. Flash threats are so named because of the speed with which viruses or worms can spread. In 1999, a virus dubbed "Melissa," one of the earliest and most widespread viruses at the time, took 16 hours to spread globally, according to Network Associates Inc. In January 2003, the Slammer virus managed to infect more than 90 percent of the vulnerable hosts worldwide within 10 minutes using a well-known vulnerability in Microsoft's SQL Server. New viruses in the coming months and years are expected to spread even faster. Therefore whatever defenses organizations create, it must be able to identify the threat and respond much more quickly than ever before.

The other looming threat is the self-mutating worm. Today's worms are relatively unintelligent. They are programmed to follow a specific set of instructions, such as to infiltrate one machine through a specific port and once on the machine compromise it in some way, for example, causing a buffer overflow and planting a Trojan. If anything interferes with these planned instructions, the worm lacks the ability to adjust and dies. Now, however, rogue developers are adding intelligence and logic to worms so that if they can't complete a specific task worms can mutate and pursue other lines of attack.

Experts call this security dilemma - The Moore's Law in reverse. Whereas Moore's Law postulates that processor performance will double every 18 months while costs will decline dramatically, security is moving in the opposite direction-networks are becoming less secure while the cost to defend them is increasing. This prognosis is supported by mi2g, a research firm in the UK that specializes in computer security. Mi2g reports that the economic damage from malevolent network security attacks reached somewhere between US$157 billion and US$192 billion worldwide in 2004.

New Threats = Increase in operational complexity and Manageability?

The current security defense paradigm is to deploy more and more of the existing security technologies throughout every segment of the network. This includes firewalls and ACLs to block access and perform application inspection, intrusion protection system (IPS) technology to provide very granular traffic inspection and identify known threats, encryption software to counter eavesdropping, anomaly detection to detect worms or DoS attacks, and antivirus software to battle viruses.

Many of today's security technologies were developed to perform their specific function with little context of the overall network threat environment. Operating alone, however, these technologies are less effective in stopping the newer attacks, as well as the changing ways in which user’s access networks, because of the "security gaps" that exist between each technique's capabilities. With the increased complexity of threats, such as the blended threats that use a combination of techniques to disrupt networks, security technologies must operate in a coordinated fashion to stop attacks and better control network activity and applications.

Unfortunately, over the years, many companies have addressed nagging security concerns by constantly adding devices and software to address each particular problem. This has led to separate antivirus protection, firewalls, VPNs, and intrusion prevention. While this addresses the short-term needs, it creates an entirely new and bigger problem: managing multiple systems that operate independently of one another. As more advanced threats emerge, there is a need for network security to become more holistic; security technologies must act in coordination to detect and defend against more sophisticated threats. There is a growing need for devices that can assemble the puzzle pieces and lock down the gaps that exist in conventional network security systems.

Adaptive Security for a Changing World

Transforming chaos into clear and manageable security policy is essential, which is why future network security systems need to focus on convergence and consolidation. For robust information security for an enterprise, a proactive architectural and system approach is critical. The idea is to accurately identify and stop attacks as early and as far from the destination host as possible, while simultaneously simplifying the security architectures required to do this.

Instead of a security product for each security need in isolation, a end-to-end security solution approach or system enables these combined functions to operate as a coordinated defense (instead of silos) that stops a broader range of attacks and greatly reduces the number of diverse multi-vendor devices that must be deployed, thereby simplifying security design and management.

Historically, firewalls have generally been considered fairly simple devices, but they are effective at what they do: either block a packet or let it through based on Layer 3 and Layer 4 information and session state. They can provide some level of application inspection but do not perform the detailed inspection of some other technologies. An IPS device can pick up where a traditional firewall leaves off by peering more deeply into a packet's contents to see whether the data within conforms to company policy. Host IPS, Host Firewall on servers and desktops/laptops, day zero protection & intelligent behavioral based protection from application vulnerability and related flaws (within or inserted by virus, worms or Trojans) provided great level of confidence on what is happening within an organization on a normal day and when there is a attack situation, which segment and what has gone wrong and gives flexibility and control to stop such situations by having linkages of such devices with monitoring, log-analysis and event co-relation system.

Adaptive threat defense is the need now where a end-point security system can dynamically generate a attack signature and push it to the other end-points and to the perimeter IPS devices to stop it from propagating to rest of the infrastructure. Similarly security operations teams have challenges to fine-tune false positives, they struggle by logging into various devices to understand which logs are resulting into what logs; the need of the hour is that security operations team should be able to easily see the logs and link the same to configurations which are resulting into these logs.

This type of systems approach transforms security from operating as separate siloed technologies in a reactive mode-with limited and static detection methods-to functioning as a coordinated, proactive threat defense system that adapts to the threat environment.

These systems provide numerous benefits: improved detection, greater event classification accuracy, lower operating costs, streamlined administration, and services extensibility that integrate the most advanced security technologies as they are developed. Most importantly, these converged systems will not compromise the quality of security in any given category, but instead combine the strength of each in complementary ways to deliver a tighter, coordinated defense.

Let Us Help