I D C T E C H N O L O G Y S P O T L I G H T

Transcription

1 I D C T E C H N O L O G Y S P O T L I G H T T h e B u s i n e ss Value of Hyb r i d C l o u d - B a s e d C o m p r o m i s e I n t e l l i g e nce Monitoring and T h r e a t M i tigation February 2013 Adapted from Worldwide and U.S. Security Services Threat Intelligence Forecast by Christian A. Christiansen, Chris Liebert, Charles J. Kolodgy, IDC # Sponsored by Neustar Today, enterprises are finding themselves in a security "arms race" against sophisticated and ubiquitous cyberattackers. The "new normal" is that companies will be attacked over time, most likely resulting in a distributed denial of service (DDoS) or a network breach, or both. Existing security infrastructure can account for only what's already known; it doesn't address the constant parade of new threats in enterprise environments. These threats require actionable continuous monitoring using real-time threat intelligence and constantly evolving scenarios. In the current environment, cybercrime and cyberprivateers represent a serious threat to many enterprises. In addition, the speed of threats is increasing and modalities are becoming more complex. There are now millions of malware variations to defend against and hundreds of perpetrators of DDoS attacks. Given the complex nature of today's threats, enterprises can achieve a strategic advantage by employing a new layer of security that is services based. Cloud-based services are an important aspect of this approach to security and provide always-on monitoring without the added expense of buying and maintaining on-premise equipment. Early detection can help manage breach notification and remediation as well as eliminate the impact of DDoS attacks. This Technology Spotlight examines these trends and the role that Neustar's Protect solutions and NeuSentry service plays in this strategic market. Introduction Over the past few years, enterprise security has changed significantly. The "new normal" is that many companies have already been compromised, or shortly will be. This disconcerting reality challenges CSOs and CIOs to develop comprehensive threat detection, incident remediation, and forensic analysis strategies. However, existing "best practice" security infrastructure accounts for only what's already known; it doesn't address the constant parade of new threats being seen and experienced in enterprise environments. This accelerating challenge is amplified as attacks grow in complexity, intensifying attack damage and hindering swift mitigation. Responding to the "new normal" therefore requires actionable continuous monitoring, analysis against real-time threat intelligence, and constantly evolving incident management scenarios. Organizations should consider cloud-based approaches that protect their assets through a combination of integrated end-to-end solutions that are "always on," such as managed DNS routing and threat monitoring, detection, and alerting. To ensure optimal performance, organizations can conduct network assessments that include vulnerability assessment and penetration testing to define baselines and measure network health. IDC 1455

2 Trends and Challenges in Enterprise Security The security services threat intelligence market is made up of advanced security event monitoring and management technologies that incorporate a variety of threat-related information sources to develop predictive security. IDC forecasts that worldwide revenue for this market will grow from almost $200 million in 2009 to $905 million by 2014, a five-year CAGR of 35.5%. Defined as a competitive market by IDC, security services threat intelligence is made up of vendors that provide products, services, or professional services (or a combination of these) to meet enterprise demands for advanced persistent threat (APT) solutions and actionable advice. In the current environment, cybercrime and cyberprivateers (attackers who are state sponsored) represent a serious threat to many enterprises. Transnational criminal syndicates are well financed, well organized, and highly motivated by the value in intellectual property theft and industrial espionage. In addition, an increasing number of sophisticated cyberattacks have direct support from nation-states. As these trends continue, DDoS attacks are now often used as a distraction so that other more serious attacks can be made. Because DDoS attacks are cheap to pull off and often aided by the prevalence of social media, they can quickly overwhelm a company's Internet presence. Defending against DDoS attackers who utilize the strength of enterprise servers to cripple even the largest systems while harnessing malware to steal assets from their target has to be a prime objective for enterprise security. In addition, the speed of threats is increasing, and threats are becoming more and more complex. There are now millions of malware variations for enterprises to defend against. However, it is increasingly difficult for signature-based antimalware platforms such as IPS/IDS, AVNs, and firewalls to keep up with the rapid pace of change. As signature databases grow to handle the variants, these large databases can impact client and server performance as well as impair time to detection. Moreover, signatures work only for known vulnerabilities; they are largely useless against APTs because APTs comprise a complex mix of attack components, including zero-days. An attack can transpire over a period of several hours or take just a few minutes. Duration is relevant because, once compromised, the machine is "owned" by someone else. In addition, modern cyberattacks tend to be specifically targeted. One example might be targeting the VPN transaction and log-in credentials of a senior executive of R&D for a company developing top-secret defense equipment. Zero-day attacks in particular are becoming more frequent. A zero-day attack takes advantage of unknown vulnerabilities so that there is essentially no time for the security team to address and patch the vulnerability. The stealthy nature of zero-day attacks combined with APT complicates detection, mitigation, and remediation of compromises. The complexity of the most advanced cyberattacks requires a correlated approach to forensic evidence collection and analysis, both inside and outside the corporate enterprise. The Benefits of a Cloud-Based Approach to Security Monitoring and Attack Mitigation Given the dynamic and complex nature of today's security threats, enterprises can achieve a strategic advantage by employing a new layer of network security that is services based. Threat intelligence services grew out of security service providers' developing threat detection capabilities to address the challenge of detecting APTs and other attacks that are unknown, targeted, low and slow, and adaptive. Cloud-based services are an important aspect of asset protection and provide the versatility of being "always on" for threat monitoring and detection, but they are equally nimble as an "on-demand" solution in the event of a DDoS attack. Cloud-based DDoS scrubbing services can be activated at the moment of an attack, redirecting all site traffic to the cloud and returning only clean traffic to the site IDC

3 until mitigation is complete. This allows the business to continue to operate despite the size and intensity of any given attack. Cloud-based cybersecurity services provide always-on monitoring of an enterprise network, without requiring additional equipment. The legacy approach involves "gap filling" with device solutions. This is not a comprehensive strategy because only cloud-based solutions can provide visibility from the network edge out. IDC recommends that organizations looking at various available cloud-based services use a trusted third-party provider. Other important considerations include finding a provider that offers hybrid cloud-based services with appliances. The use of appliances provides the ability to see the actual compromised host within the network and capture 100% of communications and transactions. This approach can provide real-time notification of threats to sensitive intellectual property and compliance-oriented data such as HIPAA, SOX, and PII. Early detection helps manage breach detection, notification, and remediation. Accurate compromise detection quickens remediation, limits damages, and reduces post-incident costs. Ideally, a cloud-based threat intelligence solution offers many of the following components: DarkNet deployed globally and internal to a customer's network (device) DNS query and answer capture to provide data correlation Geolocation capabilities Enhanced NetFlow capture and analysis Policy-based deep packet inspection Network behavioral analysis URL and context-based Web monitoring and analysis Automated event-based triggers and alerts into a SIEM system A Web-based portal that provides real-time alert notification and a detailed alert narrative to assist in identification and remediation efforts Considering Neustar's Protect Solutions and NeuSentry Service NeuSentry was originally designed to help protect Neustar's network assets and grew as an extension of the SOC's and the security team's expertise in DDoS mitigation. Neustar's strategy is to ensure that threats are addressed in near real time. Neustar Protect includes a suite of products designed to provide a business with network insurance and continuity in the event of attack. It includes DNS delivery across Neustar's global 15-node anycast network and comprehensive network assessments including vulnerability assessment and penetration testing. On-demand cloud-based DDoS traffic scrubbing and mitigation are provided in the event of an attack. These capabilities are augmented by continuous monitoring, threat detection, and alerting with a specialized array of services now identified under the NeuSentry brand IDC 3

4 The Neustar Protect solution components include: Hardened DNS services designed to assure businesses that their Web site will be always available to customers via the global anycast network Comprehensive compromise intelligence profiling and alerting from the public side as well as the enterprise side of the network Professional services for vulnerability analysis and penetration testing to benchmark, assess, and improve network performance DDoS mitigation services available on demand to filter traffic and stop large attacks including Layer 3 events (This includes ICMP floods, SYN floods, UDP floods, Layer 7 attacks including botnets, DNS reflection attacks, and DNS/HTTP attacks that employ GET floods and POST floods.) Performance monitoring and traffic load balancing designed to ensure optimal Web site performance for end users even during times of peak traffic The NeuSentry suite of services is an externally hosted, cloud-based cybersecurity offering that requires no installation or changes to existing network infrastructure. The service is designed to identify compromised systems before serious damage occurs and then initiate mitigation via a full system recovery process. Part of the recovery process involves notifying ISPs of malicious IPs hosting illegitimate Web sites and updating internal filtering policies to block malicious IPs and threatening Web sites. It also is designed to ensure that critical corporate Internet traffic is routed to safe peering providers and that network vulnerabilities in the ecosystem of inter-networks are identified and resolved. An aspect of the service involves using in-house threat analysts who work to identify security events in an organization's risk profile. They identify likely signs, symptoms, and trace evidence that indicate a network has been, is, or will be compromised. These experts understand when a DDoS is more than just a one-time event and can provide customized, real-time compromise and threat intelligence delivered via NeuSentry's Web-based customer portal as well as mitigation of threat activities. On-demand analytical support with dedicated threat intelligence analysts is used to identify the severity of the threat and improve identification processes. Neustar also offers NeuSentry Advanced, a hardware-based threat monitoring capability where a server-grade appliance sits inside a customer's network at major points of ingress and egress. The device provides visibility into and identification of the actual compromised host within a network (e.g., PC, server, or any IP-enabled device). It also includes a management and configuration interface that allows for highly customized policy-based monitoring and filtering rules and correlation of all NeuSentry external threat intelligence against compromise monitoring behind the customer's firewall. The device ships preconfigured so that minimal installation effort is needed and requires no additional sensors or software to be installed inside the network. In addition to these features, the service also includes Advanced NetFlow capture and analysis, DNS query and answer capture, and Web-traffic filtering. Challenges IT security managers may, in some cases, be disinclined to experiment with new approaches given the fact that the pursuit of security solutions generally requires a conservative approach to resource utilization. Cloud-based services are also at a relatively early stage of the maturity cycle, so there may also be some hesitancy with respect to understanding the full implications and impacts of these services on existing IT configurations and operations. As with any newer market solution or approach, Neustar will need to engage in a well-considered educational effort to make the case to CIOs and CSOs and other IT security managers as they consider the company's offerings for possible implementation IDC

5 Conclusion Increasing in both sophistication and frequency, cyberthreats are rising to the challenge when enterprise security teams implement upgrades to their security arsenal. This iterative process means that enterprise CSOs and security teams must not only keep up with new attacks but also, to the extent possible, stay ahead of the curve. Initially, attackers focused on exploiting a vulnerability, but they are now finding other ways to misappropriate software. In parallel, the attack vectors now focus more on the application layer, including Web and mobile applications. The "new normal" is that if companies have not already been compromised, there is every reason to believe that in the near future they will be. An important option for responding to the "new normal" requires consideration of comprehensive protection solutions, including those that can continually assess network performance to deliver actionable compromise intelligence. Given the dynamic, complex nature of today's security threats, enterprises can achieve a strategic advantage by employing cloud-based security services that provide always-on monitoring of an enterprise network, without the added expense of buying and maintaining on-premise equipment. The Neustar Protect suite of services is an externally hosted, cloud-based approach to ensuring network and Web site performance. It does this by benchmarking and assessing network vulnerabilities and minimizing the disruption of DDoS attacks. The NeuSentry service is designed to identify compromised systems before serious damage occurs and then initiate mitigation for a full system recovery process. To the extent that Neustar can address the challenges described in this paper, IDC believes that the company's solutions are well positioned for success. A B O U T T H I S P U B L I C A T I ON This publication was produced by IDC Go-to-Market Services. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Go-to-Market Services makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. C O P Y R I G H T A N D R E S T R I C T I O N S Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests, contact the GMS information line at or gms@idc.com. Translation and/or localization of this document requires an additional license from IDC. For more information on IDC, visit For more information on IDC GMS, visit Global Headquarters: 5 Speen Street Framingham, MA USA P F IDC 5