SC Magazine’s Dan Kaplan’s on The Hypocrisy of the zero-day exploit trade shows that enterprises can no longer rely on signature-based Detection Controls to mitigate the risks of confidential data breaches resulting from compromised devices.
I am surely not saying that signature-based IPS/IDS controls are dead, as you do want to detect and block known threats. However, IPS/IDS’s are surely no longer sufficient. They must be complemented by a behavior analysis Detection Control (flow and DNS analysis) as part of a redesigned Defense-in-Depth architecture.
George Hulme highlights two technology trends which are increasing enterprise security risks – employee-owned smartphones and Web 2.0 applications including social networking.
Today, more than ever, employees are bucking efforts to be forced to work on stale and stodgy corporate notebooks, desktops or clunky, outdated mobile phones. They want to use the same trendy smart phones, tablets, or netbooks that they have at home for both play and work. And that, say security experts, poses a problem.
“If you prohibit access to the services people want to use for their jobs, they end up ignoring you and doing it from their own phone or netbook with their own data connection,” says Josh Corman, research director, security at the analyst firm 451 Group. “Workers are always going to find a way to share data and information more efficiently, and people will always embrace ways to do their job as effectively as possible.”
To control and mitigate the risks of using Web 2.0 applications and social networking, we’ve been recommending to and deploying for our clients Palo Alto Networks’ Next Generation Firewalls.
Palo Alto posted a well written response to Hulme’s article, Which is Riskier: Consumer Devices or the Applications in Use? Clearly, Palo Alto’s focus is on (1) controlling application usage, (2) providing intrusion detection/prevention for allowed applications, and (3) blocking the methods people have been using (remote access tools, external proxies, circumventors) to get around traditional network security solutions.
We have been big supporters of the thinking that the focus of information security must shift from protecting devices to protecting information. That is the core of the next generation defense-in-depth architecture we’ve assembled.
Corman agrees that the focus needs to shift from protecting devices to protecting data. “Security managers need to focus on the things they can control. And if they can control the computation platforms, and the entry and exit points of the network, they can control the access to sensitive data, regardless of who is trying to access it,” he says. Corman advises enterprises to deploy, or increase their focus on, technologies that help to control data access: file and folder encryption, enterprise digital rights management, role-based access control, and network segmentation.
Having said that, we are currently investigating a variety of new solutions directly aimed at bringing smartphones under enterprise control, at least for the enterprise applications and data portion of smartphone usage.
Brian Krebs highlights Nart Villeneuve’s detailed analysis of Koobface. This is the most detailed analysis I’ve read about how one type of botnet thrives.
The entrée point for Koobface is almost irresistible: a link sent from a fake “friend” prompting a visit to a video site that purportedly reveals the recipient captured naked from a hidden web cam. Who wouldn’t follow that link? But for the hapless recipient, that one click leads down a Kafka-esque rabbit hole of viruses and Trojan horses, and straight into the tentacles of the Koobface network.
In a sense, Koobface, while malware, is the opposite of Zeus because the value per illicit transaction is very low, while Zeus’s transaction value is very high.
The operators of Koobface have been able to successfully monetize their operations. Through the use of payper-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud.
Without a victim, particularly a complainant, it is almost impossible for a police force to justify the resources to investigate a case like Koobface. Police officers ask: what’s the crime? Prosecutors ask: what or whom am I supposed to prosecute? In the case of Koobface, it is almost as if the system were purposefully designed to fall between the cracks of both questions.
New preventive and detective controls are needed to combat this new generation of malware. Think about this:
A recent study by Bell Canada suggested that CA$100 billion out of $174 billion of revenue transiting Canada’s telecommunications infrastructure is “at risk.” The same operator measured over 80,000 “zero day” attacks per day targeting computers on its network — meaning, attacks that are so new the security companies have yet to
register them.
Preventive network security controls must include (1) next generation firewalls which combine application-level traffic classification and policy management with intrusion prevention, and (2) 0-day malware prevention which is highly accurate and has a low false positive rate.
Detective controls must include (1) a Log/SIEM solution which uses extensive contextual information to generate actionable intelligence , and (2) a cloud-based botnet detection service which can alert you to compromised devices on your network.
Our testing shows we’re spending billions on defenses that are no match for the stealthy attacks being thrown at us today. What can be done?
Greg Shipley has written an excellent article about the state of information security. The hard copy version in this week’s InformationWeek magazine sums up the situation – “Epic Fail.”
…collectively, we’ve spent billions of dollars on security technologies, and we still can’t curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize. Meantime, our identity management efforts guzzle funds faster than politicians before a crucial vote.
Recent events suggest that we are at a tipping point, and the need to reassess and adapt has never been greater. That starts with facing some hard truths and a willingness to change the status quo.
Greg points out what we’ve been saying for the last three years:
…sometime in the last few years a number of our key security technology controls crossed that threshold and ceased to be effective, yet as an industry we have yet to adjust. We’re pouring billions of dollars–literally–into security products that are gaining us very little. We don’t retire anything but rather pile on more layers, leading to increased complexity, expense, and exposure.
One of the big three security technology controls Greg calls out is firewalls. I would be more specific and say “stateful inspection” firewalls. These have been the staple of network security for 15 years. But Web 2.0 applications and social networking breeze right by the stateful inspection firewall. In fact, the stateful inspection firewall provides practically no control or protection at all.
Fortunately, we have begun to see the rise of what Gartner calls the Next Generation Firewall as exemplified by Palo Alto Networks. NextGen Firewalls are application aware and more importantly enable you to build policies based on applications and users rather than ports, protocols, and IP addresses.
Greg’s four recommendations are:
1) Start spending money on controls that are more in line with threats. This is in fact why Cymbel has embraced (and enhanced) the SANS 20 Critical Security Controls for Effective Cyber Defense. Controls were selected based knowledge of exploits. For example, Controls #1 and #2 are about Discovery of network assets and the software running on them. Unknown and/or unmanaged devices will thwart a patch management program every time.
2) Adjust assumptions and put to rest some age-old debates. For example the insider vs. outsider debate. Due to what we call the ‘inside-out” attack vector, the outside attacker becomes an insider once the attacker steals the insider’s credentials. We discuss this in more detail in the Threats section of the Five Forces of Change. This is why internal network segmentation based on application and user policies has become critical.
3) Stop rewarding ineffectiveness and start rewarding innovation. Here Greg repeats his observations about the ineffectiveness of (stateful inspection) firewalls and antivirus. It is for this reason that we developed our Next Generation Defense-in-Depth architecture, which features real, proven, innovative solutions which mitigate these new threats. Another good example is FireEye, which prevents 0-day and unknown malware attacks using heuristics plus virtual sandboxes to test suspicious code. The virtual sandbox capability practically eliminates false positives, the bane of heuristics-based intrusion prevention systems.