IT security: It's time to change the game - and here's how

IT security: It's time to change the game - and here's how

Summary: After several major security breaches, is there's another way to do things?

TOPICS: Security, Malware

We do IT differently these days, with users bringing their own devices into our networks, with our apps in the cloud, and our users wirelessly connected — from anywhere at any time. But we still do security the same old ways, with firewalls the mediaeval fortresses guarding the gates around our walled city datacentres.

So how can we rethink the ways we protect our changing IT world? We've already started to understand that what's most important is the data and information we use, not the software, nor even our PCs and smartphones. We've started to encrypt data, at rest and in motion, and we're also ensuring our users and apps work with the least possible set of privileges.

But, as the news headlines show, it's not enough. With millions of us having to replace credit cards and deal with the fallout from recent major data losses, the failings of current security practices have been put in sharp relief. It's time to do something different, to move from detecting attacks and clearing up after them, to preventing those attacks in the first place.

In the shadow of those high-profile intrusions, I spent some time with Palo Alto Networks, to try to understand how the security company is going beyond the traditional firewall, and coming up with an alternate way of looking at security.

Detecting malware is a complex piece of the puzzle. It's no longer a matter of looking for malware signatures — for one thing, malware authors have long been able to create software that changes from download to download, and the targeted malware used by state actors and sophisticated cyber criminals is often designed to penetrate a specific network.

New malware that's never been analysed won't be blocked by conventional tools: someone must have been infected and lost data for that malware to be found, analysed and its signature added to the daily download of signature files. And while in many cases that someone is a honeypot system on some vendor's network, there's still a chance that that someone is you, and that it's your data that's been lost.

The risk may be small, but it's still a risk: and the higher profile you are, the higher the risk. Home PCs might well be safe with a traditional signature-based approach, but that's an approach that's risky for businesses running cloud services, or hosting APIs for their apps.

What's really important is understanding just how malware works. It turns out that while malware apps differ, the attack paths and methods they use are identical. To monitoring software, a buffer overflow or a SQL injection looks the same; so instead of protecting the operating systems of modern network endpoints, we need to monitor the applications and services they're using, looking for the signatures of attacks, and blocking those attack paths rather than the malware. That's the approach taken by Israeli security company Cyvera, recently bought by Palo Alto.

By analysing the attack patterns of thousands of pieces of malware, Cyvera has been able to identify fewer than thirty actual attacks. It's then able to sit between your applications and those attacks, monitor for suspicious activity, and then block and report the code that's trying to penetrate your network.

If malware can't attack, no matter what the underlying code might be, we're starting to focus on prevention, rather than detection. That's an important distinction, as it's an approach that, if implemented at an OS-level, would mean that Microsoft wouldn't have had to issue a patch for IE in Windows XP, as it would have been protected automatically.

Changing the way we think about protecting our networks from malware changes the game. It lets us focus on understanding the software engineering implications of malware, and allows us to harden the areas of our OSes and software that need hardening by using those common attack patterns as part of our software test procedures. However we shouldn't become complacent.

Just because malware uses a set of common attack patterns doesn't mean that they're the only possible attack patterns: it's just that they're the easiest or most effective routes into someone's network. There are always going to be other ways in; just harder and more expensive. However, by continuing to analyse attack signatures it will still always be easier to prevent attacks than to detect malware and then remediate its effects.

These are tools that can be used alongside next generation firewalls, monitoring for unusual network traffic and unknown applications. Bringing the two together turns security into a proactive, rather than reactive, technology, one that's much more in tune with modern IT and the rapid changes in how we work. They're also techniques that don't need to be associated with physical hardware, and can be implemented as part of the software control plane of a software defined network, or even as virtual machines in a virtualised infrastructure — as Palo Alto Networks is doing in conjunction with VMware.

It's a brave new world out there, and it's good to see that the security industry is thinking about how it needs to react, taking advantage of the same new tools and techniques we're using in our private, hybrid, and public clouds. Now it's up to us to think about how we can move to preventing attacks on our infrastructure, and keeping that vital data right where it belongs.

Further reading

Topics: Security, Malware

Simon Bisson

About Simon Bisson

Simon Bisson is a freelance technology journalist. He specialises in architecture and enterprise IT. He ran one of the UK's first national ISPs and moved to writing around the time of the collapse of the first dotcom boom. He still writes code.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • How is this any different...

    than a good HIPS? Seems like this is already covered in any good blended defense. AV and AM solutions are just for cleanup after a zero day attack. In fact - as long as your users are running with limited rights, a good file cleaner is sufficient. Just run it when the HIPS goes off, and voila! No problems! However - you have to have all updates current as soon as they come out, and mitigate the ones that aren't patched yet. This for the applications as well as the operating system.
    • Make it right, think of possibilities, work around them, etc

      But then, we are often told "research for its own sake is not profitable". It depends on whom you ask...
  • Nope

    Humans make these things, so there are to issues not being discussed:

    1. human nature that humans have
    2. why humans make things

    Regarding point 2, humans make things increasingly to make money (short-term); any other reason seems to be secondary nowadays. That may or may not be the best or most logical thing TO do...

    Anyway, point 1 is far simpler: People make mistakes, accidents happen, as do oversights. Any new platform will have these issues. Whether the underlying reason revolves around an artificially or constructed imposed deadline of choice, forgetfulness, deliberate corner cutting, etc, is another debate completely.
  • A Lot of Good Points

    In my early days, everything concerted "ARMS":

    Availability: To whom and at what times MUST the application must be available
    Reliability: Do you get the correct results? Are there application errors?
    Maintainability: Do you run out of storage space? Do you need to index the data?
    Security: Are you even allowed to expose data and what are the costs if you accidentally do.

    Unfortunately, the "Business Need" (getting from point "A" to point "B"on schedule) has taken preference in the mind of many executives and businesses so such lofty concepts (including security) are last on the list.

    So, that leaves the consumer. The consumer goes into a business and presents his credit card. Another goes into a government office and must supply a social security number. Another goes into a doctor's office and thinks his new-found medical issues are just between him and his doctor. It is said that identity theft is the leading crime in, at least, America. How does that affect our consumers? The person with the credit card finds new credit cards have beet created with his identity and large, expensive items have been bought with those cards. Someone else is collecting money from the government using the other consumers credentials. Someone bought and sold a house in the name of another person. Someone was turned down for a job or insurance because they found out that the other person has a medical issue. And why did this happen? Because some agency or business decided to keep this information on a public cloud service that takes NO Responsibility for your privacy and allows/encourages their employees (without background checks) to read all of your stuff.. Why not? They say they can do it in their terms of service. They say they can do it in their privacy policy and they say that they read all of your "stuff" somewhere on their website where they hope the user won't bother reading it. They have employees who think that the data they work with belongs to them personally and they take the data home with them on unencrypted devices that are easily lost or stolen. We had a laptop stolen by someone in the cleaning staff. It cost over $500,000.00 just in postage to notify the people who's data was compromised. Yet the same people who make these "mistakes" and are still continuing their patterns of convenience are the same people who, if they found out that their GMAIL account is being read by Google, would be up-in-arms and on the list to sue them because reading the Terms and Privacy policies would be "too difficult" for them.

    It's not the technology. It is the human user of the technology.
  • Cyvera uses legacy 10 year old behavioral blocking technology

    Cyvera’s protection approach has been used by numerous vendors since 2006, such as McAfee's HIPS. Behavioral blocking misses many day zero attacks and can interfere with many business apps, as illustrated by their exception feature that allows users to exclude certain processes and applications from protection. In practice tuning any behavioral blocking product consumes huge amounts of time. If tuned to aggressively block attacks too many benign programs break. If tuned to minimize disruption to production apps, malware is not effectively blocked. In addition, scalability and overall management approach are likely immature and not compatible with PAN’s network security management products.
  • I don't agree with this one assertion.

    "It turns out that while malware apps differ, the attack paths and methods they use are identical."

    I don't agree with this one assertion.

    I'm sorry, I'd need actual evidence to believe this.
  • Smart enough to analyze, complex enough to exploit

    You're looking an entry methods that attack code surfaces, not SEing the user, but let's go along with this for a while.

    Wrapping surfaces in an extra layer of software that "watches" for exploit behavior isn't likely to work, though it may increase the cost of developing attacks.

    More to the point, if that layer is smart enough to catch "everything", it will be complex enough to contain exploitable defects. You may as well just say "why don't we just code properly, so our code doesn't contain exploitable defects?".

    Also, wherever there are alternate code paths, there may be differences that are exploitable. Let's take criteria for defining a valid archive or file encoding as an example; if your av doesn't see material as a valid file and doesn't scan it, but a deeper surface does accept it as valid and "opens" it, you have the problem to which I refer.

    Encryption doesn't help if the malware is within the encryption bubble, and proof of user identity is meaningless if malware running within the user's session has all the rights of that user. Even the most "limited" user has rights to access "their own" data and hit the Internet (an inescapable need if relying on "the cloud") so there's not much hope with that model.

    Humans are themselves "smart enough to analyze, complex enough to exploit"; they have situational awareness that could potentially see them nixing UAC prompts and choosing not to click links and files "from someone they know", when the Turing Test fails to prove human intent behind malware-generated crud.

    But that can be exploited via Social Engineering, especially when we use auto-generated messages that are so easy to forge. An "Internet of things" won't make that any better.