Application security, Incident Response, TDR

Organizations turn to new techniques to fight financially motivated attacks


Most disturbing is the fact that many security experts believe that such breaches are occurring worldwide every day, completely unbeknownst to the victim organizations. These incidents are part of what some experts are calling a silent epidemic, with many rooted in organized crime syndicates focused on stealing valuable information in pursuit of the almighty buck. These criminals are acting in stark contrast to those who used more traditional — and more easily discovered — methods of attack.

To rally against these new threats, security professionals will need to change their modus operandi, says Amrit Williams, a long-time security analyst for Gartner who recently started as chief technology officer at BigFix, a configuration and patch management company.

"The change has really caused a shift in how organizations need to deal with security," he says. "The goal should be to limit the probability of attacks and limit the impact of those attacks when they occur."

Key to making this adjustment will be a paradigm shift among professionals who for so many years have been working in a reactive security environment, says Kishore Seshadri, vice president of product management at Mu Security.

"I think that reactivity is sort of ingrained as people are sort of used to dealing with emergencies, and they are staffed up to handle that," he says.

According to experts such as Williams and Seshadri, making the shift from a reactive security stance toward a proactive approach requires employing new techniques and tools, as well as relying on best practices within the information technology environment. This includes moving away from signature-based security technology toward behavior-based intrusion prevention, as well as monitoring network behavior more closely. It also means improving governance and policy enforcement, in addition to managing configuration and system changes to limit risks in the first place.

Signatures showing their wrinkles
A staple of the anti-virus vendors, signatures are no longer the darlings of security that they once were. Because they are only able to protect against known threats, they are extremely weak against zero-day attacks.

"If I were still at Gartner, I might have been as bold to say that anti-virus is no longer truly protecting the enterprise," Williams says, explaining that signatures are just not effective in protecting against the kind of cloaked threats that the financially motivated hackers are using these days.

Though most vendors in the intrusion prevention system (IPS) space also rely heavily on signatures to recognize known attacks, they have also comprehended the limitations of signatures and worked to develop more technology that focuses on the anomalous behavior associated with malicious activity, rather than simply relying on signatures triggered by known threats.

A select few have even gone further, abandoning signatures altogether in favor of behavior analysis. For example, Huntsville, Ala.-based Arxceo has a solution that relies solely on behavior-based detection to prevent attacks — particularly focusing on the probing and scanning behavior that occurs before a major attack.

"We believe the best defense is to prevent that discovery and ‘casing of the joint,'" says Chandler Hall, vice president of marketing for Arxceo. "All good burglars case the joint. We're seeing that happening most frequently now as attackers are being more targeted. They'd like to sneak in, grab something, and not let it be known that it happened months ago."

However, Arxeo may well be the exception to the rule. Experts and analysts warn users to look at how dependent the technology really is on behavior analysis because they say that most of these technologies still rely heavily on signatures.

"The interesting thing is that everybody says they do a little behavioral. Almost all IPS vendors out there say they do at least something on top of signatures. If I've got a 10-year-old worm still running around out there on a Windows 95 machine somewhere on the internet that keeps infecting devices, I can understand having a signature for that," Hall says. "But what I don't understand is if you are supposed to be really good at detecting a brand new zero-day attack based on anomalous behavior, why do you need signatures at all? Wouldn't a 10-year-old worm without the signature look like a new worm to that side of the engine? So I kind of question how good the anomaly engines are if they continue to rely on a massive database you have to cruise through for protection."

Network behavior analysis
Because of this continued reliance on signatures by the major IPS vendors, some experts have even gone so far as to say that these systems are not proactive solutions at all.

Some industry analysts say that even the most sophisticated signature- and behavior-based IPS solutions leave gaps in coverage. A growing trend to fill that gap is through the use of network behavior analysis (NBA).

"It became apparent after a little while that once you have malware on the network, already it is too late," says Chris Liebert, a senior analyst at Yankee Group. "And that is where network behavioral analysis comes in. The IDS/IPS is good if you are looking at traffic on that segment somewhere and it is a known signature. But you might be on the LAN somewhere and in front of an IPS and downloading and propagating some malware. The IPS may never know."

While IPS solutions monitor traffic coming in and out of the network, they are not able to keep track of anomalous behavior happening internally. NBA solutions are able to give visibility into all of these events to not only help prevent worm outbreaks and zero-day abuse, but also more slippery activity such as employee abuse.

"What we have found in a large number of environments when we come in for the first time is that there are things that are going on in their networks that they don't have the slightest idea about," says Jason Anderson, vice president of engineering at Lancope, which produces an NBA product called StealthWatch.

Though NBA is still a fledgling niche, Gartner believes that rapid growth is imminent. The firm recently predicted the NBA market will grow 30 percent in 2007.

Baby-proofing the environment
Any good parent knows that the best way to keep their wards from danger is to remove them from dangerous situations. Experts believe that, similar to baby-proofing a house, locking down an environment through sound governance, consistent policy enforcement and risk management best practices is the most fundamental step toward developing a proactive security program. The idea is to reduce an organization's chances for compromises at the outset.

Governance and policy enforcement can help ensure that sloppiness, such as configuration errors and poor patch management, don't increase an organization's attack surface, says Williams of BigFix. Many widely exploited security holes can easily be closed by improving configuration management and timely application of available patches.

Additionally, organizations can best prevent attacks not by predicting the types of attacks, but looking for the biggest weaknesses in the most critical assets and systems, says Brian Laing, CSO of RedSeal Systems, which develops enterprise security software.

"If I'm trying to secure an outside window in a storm, I can't predict all of the things that a storm can kick up and throw through the window. However, I do understand that the window can break and I do understand what it takes to protect that, and I do understand what happens if the window gets broken," he says. "So we don't have to understand each individual exploit, we don't have to understand each individual vulnerability. But through the ability to understand the outcome of these things being exploited and what services are actually exposed, we can use that."


Keeping tabs on data

  1. Document and implement key information security policies and standards. 
  2. Ensure employees — including administrators, managers and users — are aware of corporate security policies and emerging risks.
  3. Implement default deny configuration that exposes the minimum necessary devices and services required to support your business operations.
  4. Implement appropriate perimeter gateway and desktop defenses to safeguard legitimate email while blocking spam and viruses.
  5. Use a "least privilege" access control approach that gives users and applications only the minimum access necessary to ensure sensitive data remains confidential.
  6. Determine, prioritize and mitigate high severity vulnerabilities on critical systems to help prevent hackers from exploiting vulnerabilities.
  7. Update current anti-virus programs and password-protected terminals regularly.
  8. Implement conservative configuration of wireless access points to ensure your corporate network is not exposed.
  9. Assess and validate your implemented security controls on a regular basis.
  10. Ensure third-party partners, suppliers and vendors comply with your security requirements.

Source: Malcolm Palmer, director, product management, Cybertrust


Keeping tabs on data

Security professionals are not only trying to be proactive on the network level, but at the data level as well. Database security vendors are offering up more tools these days that allow IT security practitioners to enforce change controls and keep closer tabs on what is going on with the data. The idea, says Ron Ben-Natan, CTO of the database security company Guardium, is to flag potential problems and prevent long-term data theft or unauthorized manipulation.

"We're a little bit behind the curve," Ben-Natan says of the database security niche. "Things are getting better now. You see the information security people being much more aware of the database and taking responsibility of the database from the data security side — and you see the [database administrators] cooperating."

In addition to better awareness and cooperation, security professionals also have better tools on their side to define, and enforce, policies for data access, he says.

"When they didn't have any tools, that was impossible to do," he says. "Now that they have tools that understand the contextual access to the data that can generate a baseline to the data, they can start managing things by exception."
— Ericka Chickowski

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.