Firewalls and antivirus applications used to suffice. But when intrusions gained momentum, security staff began to get stretched and often has to work overtime to devise coding patches and hot fixes. And now that "zero-day exploit" is the name of the game, security experts struggle to devise ways to defuse malware and other nefarious intent before catastrophe strikes.
Enter early warning solutions. For a global enterprise with thousands of network devices serving millions of customers, such "security alarms" are now indispensible.
Are such alarm systems suitable for you? Here's a survey of the early warning solution market and how they can be effectively deployed.
Consider flow-based detection with zone-based policies
"Initially an intrusion-detection appliance, StealthWatch is designed to identify zero-day, unknown, and undocumented attacks by alerting network teams about 'not normal' network traffic," according to Chris Hovis, VP of marketing and business development at Lancope, Inc.
StealthWatch is a standard, rack-mount PC running a hardened Linux operating system that passively watches traffic on the network and rates the suspiciousness of new traffic by comparing it to recognized traffic. It can tell what is normal by gathering baseline statistics, then uses complex algorithms and network heuristics to rate suspicious events according to a concern index that shows how unusual or serious the event might be.
Hovis gave an example: "Say you have a Web server that you do not use for FTP, and one day that server starts to service FTP requests. StealthWatch will send an alarm to the administrator with a notice of an important change. In this example, the administrator may find that a hacker has compromised the server and is using it to distribute pirated software or music."
StealthWatch categorizes network traffic into "flows" to profile activity and detect nefarious behavior. It quickly identifies known or unknown attacks, internal misuse, or misconfigured network devices, regardless of packet encryption or fragmentation.
Along with flow-based network anomaly detection, StealthWatch offers zone-based security policies. Network administrators can configure groups of hosts, adapting them to the logical or hierarchical security structures and methodologies of the organization.
Close the gap between prediction and mitigation
According to Stan Quintana, VP of managed security services at AT&T, the premise behind any product/tool that offers analysis and protection are twofold. They are:
- How good and predictive the intelligence being gathered
- How quickly that information can be turned into a mitigation solution.
"The advantage of having predictive information lies in the ability to quickly turn this information into security rules that can mitigate the security event on a real-time basis," said Quintana.
More important, Quintana said, customers should also have systemic policy management practices in place so that the security infrastructure is current with the changing face of the risk environment. "In addition, having overall management and monitoring, and incident management capabilities, are critical to ensure that the security landscape is addressed on a holistic end-to-end basis," he advised. Don't forget the employee desktop
"As the effectiveness of network and perimeter security diminishes, hackers have begun to utilize the employee, which can be the weakest link in an organization's security infrastructure," according to Dan Hubbard, director of product and systems analysis at Websense. Therefore, any complete security strategy for organizations should include protection at the employee desktop level, he said.
Hubbard recommended the Websense Enterprise Client Policy Manager (CPM), an add-on module to the Websense Enterprise content filtering suite, which delivers zero-day protection against unknown security threats and prevents the execution of unauthorized applications.
For reporting, Hubbard proposed Websense Enterprise Explorer for CPM, an interactive, Web-based forensics and analytics tool that enables IT/business managers to quickly detect malicious activity such as spyware, Trojan horses, and hacking tools before antivirus signatures are available.
Understand your "threat-target" situation
When asked what tool to best deploy so that network administrators can be alerted long before an intrusion wreaks havoc on the system, Tim Keanini, CTO of nCircle, called attention to the two dimensions the question needs to address: the threat environment and the target environment.
"Both (environments) are very dynamic and the advantage is defined as your ability to have more accurate intelligence than your adversary," Keanini said.
"There are non-commercial ways to track the threat environment, such as security mailing lists, public Web-portals, and IRC (inter-relay chat), but these come at the cost of your and your staff's time. Commercial products like iDefense's iALERT deliver early warning to network administrators and managers of changes in the threat environment that 'may' affect them—new vulnerabilities, new exploits, new worms, and even geo-political events that may have relevance to an organization's IT infrastructure. I use the word 'may' because until the network administrator has intelligence about their own systems, they don't know if this intelligence is relevant."
Keanini added, "The target environment refers to the networking infrastructure you manage." The attackers look for targets to exploit, the scope of which is not just one particular operating system or application, but the weaknesses associated with all devices connected to the TCP/IP network and all its applications.
"If you know worms depend on vulnerabilities that facilitate remote code execution, where on your network right now does this class of vulnerability exist? Where are you misconfigured?" Keanini suggested using nCircle's IP360 to find the answers.
"The IP360 takes knowledge from the threat environment and then proactively checks for these weaknesses on your target environment, making them both relevant or not, as the case may be," said Keanini. The automation allows you to perform this due diligence on a daily basis, effectively measuring security independent of attack or incident, he said.
Keanini further emphasized the importance of proactive over reactive measures when deploying solutions that aim to beat intruders to the punch.
"The environment you secure is dynamic, so how can you know how much security is enough if you don't know the current state of your environment? Proactive security measures help organizations understand their environment and their risk on a daily basis so the 'right' amount of resources can be applied for protection. Detecting your vulnerabilities and managing the corrective measures prior to any incident or loss is what proactive security is all about."