By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Transcription

1 THE NEXT (FRONT) TIER IN SECURITY When conventional security falls short, breach detection systems and other tier 2 technologies can bolster your network s defenses. By John Pirc THREAT HAS moved beyond signature-based firewalls and intrusion detection systems to include newer technologies that monitor content and communications. These tier 2 technologies are not included in security budgets, however, for many reasons. The primary one: These newer systems and services security intelligence, threat forecasting and modeling, breach detection systems, forensics do not fit into security strategies due to a myopic focus on conventional best practices or outdated regulatory compliance. Security at the highest level can be broken down to people, process and technology. The people and process requirements are going to be different depending on company revenue, industry vertical and geographic location. However, security technology, and threat detection, for the most part, has remained relatively consistent and static across most industry verticals with the inclusion of tier 1 security technologies. These technologies are considered the foundation of security best practices: firewalls, antivirus, intrusion detection/prevention systems, secure Web gateways, messaging security, VPNs and 24 INFORMATION SECURITY DECEMBER 2013

2 security information and event management. Tier 1 security technologies are fundamental to any security architecture, but we have been using them for 20 years and antivirus for almost 30 years. It s time to start adapting and embracing new technologies. (And what I mean by new technologies is not a known technology with next generation in front of the product category.) Frankly, we need now-generation technologies, and these network security appliances and services fall into tier 2. (The concepts of tier 1 and tier 2 security technologies were introduced in Blackhatonomics, a book I coauthored with Will Gragido, Daniel Molina and Nick Selby). These concepts illustrate a distinct paradigm shift within the security industry and, at the same time, address a fundamental misconception in security best practices. WHY MATTERS The threat landscape is dynamic and consistently adapting to new methods of exploitation. One of the largest gaps with tier 1 security technologies is their inability to stop unknown malware, or even notify you when you have been successfully breached. The common misconception of tier 1 security technologies is that the appliances and software claim coverage for malware, but the level of depth in coverage can be questionable depending on the security vendor. One security vendor, that will remain unnamed, claims zero-day coverage for hundreds of unknown vulnerabilities. If you carefully look at its filter set, you ll find that the majority of its zero-day filters are disabled by default. It s a great marketing spin to have zero-day coverage, but if it s not turned on by default, how is that helping you stay ahead of the threat and reducing your risk? Tier 1 security technologies are fundamental to any se curity architecture, but we have been using them for 20 years and antivirus for almost 30 years. It s time to start adapting and embracing new technologies. Most tier 1 security technologies protect you against known threats. A great example of this is Microsoft. The Windows behemoth releases security patches in the second week of every month on Microsoft Patch Tuesday. The great thing about Microsoft is that it collaborates with security vendors that are members of its Microsoft Active Protections Program. These vendors receive the vulnerability information shortly before it s released to the public. This gives the vendors time to create filters and signatures to identify a known vulnerability. The issue, however, is the ability to identify unknown 25 INFORMATION SECURITY DECEMBER 2013

3 malicious content in transit or on the asset being targeted. The next step is to determine if the attack was successful. Most tier 1 security technologies fall short in providing these much needed capabilities. Some tier 1 security devices such as intrusion prevention systems lack the ability to keep the state of a transaction, because they are performing multiple operations to validate if the data flowing through the IPS matches a particular filter/signature or pattern. Furthermore, some systems lack the ability to parse compound documents such as PDFs or Word documents that contain malware. Understanding and knowing about weaknesses contained in the products that are defending your corporate infrastructure will hopefully make you re-think your security strategy. Filling the gaps with tier 2 security technologies, like breach detection systems, is an excellent way to reduce your risk against the unknown. The key capability of BDS is that it is attack surface aware. BDS can detect the initial drop of a malicious file or the command and The issue, however, is the ability to identify unknown malicious content in transit or on the asset being tar geted. The next step is to determine if the attack was successful. BEFORE ENEMY THREATS BECOME REAL The key goal to any security strategy is reducing your overall risk. It s important to understand that there is no silver bullet in mitigating 100% of all threats. The Chinese military classic, The Art of War, is commonly quoted within the security community: If you know your enemies and know yourself, you will not be imperiled in a hundred battles We know the enemies well and their methods for evading detection. The know yourself part is somewhat lost in translation; most of us are focused on adding security countermeasures, which are not cookie cutter for every corporate infrastructure. control communication of an unknown piece of malware. These systems are deployed at the network perimeter as a network appliance or as software that is loaded on an end-point asset. They leverage multiple identification vectors such as IP address and domain reputation data, pattern matching, heuristics, flow monitoring, browser emulation, and operating system behavioral analysis at the network layer or host. Figure 1 (on the next page) illustrates the results of a vendor in our BDS testing earlier this year. It conveys the product s ability to identify two aspects of successful malware delivery through HTTP. 26 INFORMATION SECURITY DECEMBER 2013

4 [ FIGURE 1] HTTP Malware Detection Over Time (min.) Percent Detected It s important to understand there s always going to be a patient zero (first infected asset) with any piece of unknown malware. BDS allows you to identify the patient zero along with the corresponding intelligence to remediate other assets on your infrastructure that were infected by the initial detection of malware. This is absolutely a common defense in-depth approach, essentially layering additional security to close the gaps left open by other security technologies. However, defense in-depth is somewhat played out. Think of it as confidence in-depth utilizing now-generation technology (instead of next-generation products and services). My advice is that you start planning for the inclusion of enhanced threat detection offered by tier 2 27 INFORMATION SECURITY DECEMBER 2013

5 security technologies in your budget cycle. Start by doing a proof of concept and testing some tier 2 systems within your infrastructure. The threat detection technology, maturity and scalability of these systems will vary by vendor. Some areas to consider are whether the system requires network or endpoint deployments, or some combination. If it uses sandboxing, is the data sent to the cloud, and if so, can that functionality be turned off? Is the system able to detect pre-existing breaches as well as malware introduced through side channels? Even if a vendor makes these claims, it s important to verify that the technology works as advertised. At NSS Labs, we have thoroughly tested this technology and believe it offers a solid addition that is complimentary to existing security infrastructure. While adopting tier 2 security technologies within your existing security infrastructure is a solid approach to countering persistent and unknown threats, the cost is not trivial. These types of capital expenditure procurements need to be planned well in advance of the company s fiscal year budget cycle. JOHN PIRC is the research vice president at NSS Labs. A security intelligence and cybercrime expert, Pirc is the co-author of two books, Blackhatonomics: An Inside Look at the Economics of Cybercrime and Cyber Crime and Espionage. Prior to his role at NSS Labs, Pirc was the director of Security Intelligence at HP Enterprise Security Products, where he led the strategy for next generation security products. Follow 28 INFORMATION SECURITY DECEMBER 2013