Modern solutions for modern threats
The two biggest drivers behind the evolution of cybercrime are the growing sophistication and organization of the criminals, and the migration of computing into the cloud. The former is typified by a criminal structure that mirrors legitimate commerce, with freelance specialists, business organizers, markets and sales structures; and is capable of delivering subtle, complex, disguised and persistent attacks. Traditional security technologies, although still necessary, are no longer sufficient.
The latter is changing the nature of computing. Where once we stored data on our own servers accessible solely via the desktop computers in our own offices, now we don’t even know where that data is stored. How do we protect something when we don’t know where it is nor who is able to access it? Traditional perimeter barrier defences will not work when there is no tangible perimeter.
We’re on the cusp of this new cloud computing – we are a mix of traditional and cloud; so we need technologies for both the old and the new. We still need the traditional barrier defences: anti-malware software, and firewalls, and content scanners at the perimeter. But it’s no longer enough. Criminals have become expert at detecting new and unknown vulnerabilities that they can exploit; and they have become expert at getting under the radar of computing’s traditional defences.
And that’s the problem: if the perimeter barrier is breached, modern malware is adept at hiding itself inside the network. A new breed of technology is required, designed not simply to block at the perimeter, but to discover on the network. One solution is SIEM (security information and event management), a technology designed to collate, correlate and act on the information generated by otherwise disparate defences. Mel Shakir, CTO of SIEM company NitroSecurity, gives an example. “We work with a major life insurance company that had three separate departments independently monitoring their firewalls, database activity and applications,” he explained. “This made it difficult to see the big picture and determine which behaviors were symptoms of a larger threat. Now the security team has a single, integrated view via their NitroView SIEM, allowing quick detection and immediate reaction to new potential threats.”
But if a completely unknown or zero-day attack is being used, traditional technologies have no way of recognising it: SIEM might give clues, but possibly not enough information. This has led to a new generation of products that detect anomalous behavior rather than known malicious code. One such is FireEye. CTO Ashar Aziz explained that his product “is able to discover, in real-time, malicious activity independent of whether it is coming from a known or unknown location on the web; and we’re able to provide very granular descriptors of that activity in terms of the protocols that are used to infect, and the protocols that are used to communicate back to the cybercrime command and control servers.” That sort of information not only pinpoints malware hitherto unknown, it allows it to be eliminated, and for law enforcement agencies to trace back and take out the source of the attack.
Another example comes from Guidance Software. Frank Coggrave, General Manager EMEA, explains the methodology: “We use various techniques to locate hidden malware. One is a whitelisting technique. We say these are all the good things I know I should have. By scanning the network and seeing what shouldn’t be there, we can discover the bad things. Another method is to monitor the network traffic. If any particular node is doing more than it should, or is communicating via a port that it shouldn’t use, then we know there’s a problem. Some of this information comes from collaborating with other products, with specialist SIEMs and whitelisting products; some we do ourselves. But having recognised a problem and having pinned it to a particular machine, we then go into that machine underneath the operating system to find out what’s really going on. Zero-days have no hiding place. We know it’s there by anomalous behaviour; and then we use deep forensic analysis to locate and eliminate the threat.”
But apart from new protection technologies for traditional computing, the evolving cloud paradigm also makes us rethink our security strategy. Ed Macnair, CEO of user activity company Overtis, believes that “if we can’t defend the data in the cloud, maybe we should take more effort on controlling the activity of people who can access that data.”
Another defence for data held in the cloud is encryption – it doesn’t matter who can access it if only authorised and authenticated people can read it. There are strong arguments for introducing these technologies into our cloud protections. But we should consider one further point. The security threats to the cloud are the same security threats we have always faced; just from a different perspective. If user activity management and encryption are valid for cloud security, they are just as valid for traditional computing.