The era of providing complete protection by installing multiple best-of-breed security products has passed. Today's world of sophisticated malware, targeted threats and multi-stage attacks requires security that is smart, cross-linked and interoperable. Security must extend well beyond the traditional disparate defenses that form a broken safety net made up of point tools.
Let's look at the past year and discuss two cyberattacks that gained a lot of attention and made headlines around the world. Why were some of the targets in the attack protected, while others weren't? The answer lies in what I call “Global Threat Intelligence.”
On July 4th, 2009, a botnet was used in what's now known as one of the most serious distributed denial-of-service attacks in recent history. It was a day when many Americans were BBQ-ing and many security operations centers were thinly staffed.
The attackers designed a particularly nasty piece of malware that created a botnet of about 200,000 machines. Not only could the malware render the hardware of a PC inoperable by deleting key files and overwriting the master boot record, but it had automatic update functionality as well.
Several U.S. government websites came under attack from the botnet. Most notably the FTC, FAA and Treasury were hit, but the attack was not limited to these websites and would soon spread to both government and commercial websites in South Korea and the United States. We know that some of the target websites went down during the periods of attack. Some people associated the attacks with North Korea and called them an act of cyberwar.
So who was protected and why? One of the answers lies in understanding the reputation of the IP addresses in the botnet. The systems involved in these damaging attacks had provided clues that they were up to no good.
Before the systems were part of those damaging attacks, something else happened. The operators of the botnet used it for various nefarious activities. One of those was sending out spam. McAfee captured spam from the offending IP addresses and the reputation of these addresses was downgraded within our Global Threat Intelligence system.
What's unique about this? Well, in this real-world attack scenario the enterprise firewall protected customers based on threat intelligence that was gathered earlier by the email security appliance. Two entirely different protection vectors shared threat intelligence through the cloud, and as a result a malicious attack was thwarted.
That's something that is only possible with a correlated defense where different layers of defense talk to each other, share intelligence and provide predictive protection as a result.
More recently, Operation Aurora was an attack designed to steal high-value intellectual property from Google and dozens of other companies. The world learned about Operation Aurora when Google published a blog saying it had been the subject of a sophisticated cyberattack and that various other companies had also been targeted.
The depth and scope of the attack expanded as the days and weeks passed. The attackers went after the high value intellectual property of dozens of U.S.-based companies. It was a style of attack that we have seen before, but that previously had been targeted primarily at governments and defense contractors, not private organizations such as Google.
McAfee was on the front lines of investigating the attack and also in deploying protection. We were able to do groundbreaking research because of the broad scope of our research that covers the full spectrum of security.
For example, McAfee discovered that a previously unknown Internet Explorer vulnerability was exploited in the attack on Google and others. Within a day, the attack code that exploited the vulnerability in Internet Explorer became publicly available. This dramatically increased the risk to any IE user. Fortunately, help was available to shield companies against the attacks that used the exploit.
What have we learned from Operation Aurora and from the 4th of July attacks last year? The key is narrowing the protection gap. Traditionally, the protection gap has been up to a week, but with the Korean attack, for example, it is now possible to offer day zero protection against certain attacks.
As an industry, we need to move beyond “defense-in-depth” to “intelligence-in-depth” by tying products together and sharing threat intelligence across them while providing real-time visibility through a security management platform.
So, what does Global Threat Intelligence mean and what should you as a customer look for in intelligence provided by a vendor? Threat Intelligence needs to be real time, reputation-based and interlocked.
This comes down to one thing: There is no point to security anymore. That's as in “point products.”
What is the implication of this? As I mentioned, “defense-in-depth” doesn't equal “intelligence-in-depth.” We need open security, connecting all vectors and also bringing in core partners, breaking the traditional silos. Only by doing so can enterprises achieve higher protection at a lower cost and move beyond the traditional disparate defenses that form a broken safety net made up of point tools.