The way forward for monitoring and inspection

Opinion by Ash Patel

A recent revolution in IT security has been the use of high levels of automation when analysing data transmissions for malware, hacks and other attack vectors.

A recent revolution in IT security has been the use of high levels of automation when analysing data transmissions for malware, hacks and other attack vectors.

Some vendors have moved away from pure deep level packet analysis – owing to the enormous processor load that real-time analysis of an IP data stream now takes – in favour of analysing the credentials of the user on a given IP address and what applications they are running.

This approach is an interesting diversification from traditional IDS/IPS technology in that a degree of heuristic analysis is required to monitor the user's applications, before a decision on whether to allow IP access can be made.

This is where it gets interesting. In order to better defend against the rising tide of multi-vectored and hybrid security threats, there needs to be a concerted effort to improve the security of IT systems and software, as well as the architecture that supports these defences.

Our view at Stonesoft is that there is a clear and present need to define measurable security controls, along with the automated monitoring and reporting of incidents.

In particular, our research into the advanced evasion techniques (AETs) with which cyber criminals are now imbuing their malware suggests that organisations need to develop a well-thought-out set of incident response actions. When properly carried out, this approach can not only decrease the marginal costs of security by reducing the damage that the insecurity causes, but can also help to reduce the fixed costs as well.

This automated approach of monitoring users and the applications they are running is essential because of the rising volume of traffic that now flows across Port 80, the IP port normally assigned to HTTP traffic.

If you allow Port 80 through – and this is a given for almost every organisation – then you also allow all sorts of pseudo traffic along with the regular web page calls. If the deep level packet inspection process is a serious resource hog, what are the options for the hard-pressed IT security manager and his team?

I believe that the solution is to monitor which applications are open on the machines; coupled with pattern analysis on the data stream(s) that require monitoring, this considerably eases the automated detective work required to quantify the risk posed by a given segment of code traversing the network boundary.

This 'light touch' approach to what the data represents can be extraordinarily useful in defending against the growing problem of legacy security threats. Those threats are a potential headache for all IT security vendors as, with tens of thousands of new malware samples arriving in vendors' R&D labs every week, there is a tendency to focus the attentions of security analysis on the latest threats.

This means that if a talented hacker revisits an older malware threat and modifies the attack methodology and payload, there is a risk that conventional IT security defences may not spot this 'new-old' threat the first time the platform encounters the data stream.

The situation is compounded by most corporates' sizeable minority of computers that are not fully patched and/or up to date on the operating system front. If the software on these machines is at the end of its life, then no amount of patching will remediate the fact that they are insecure against at least some attack vectors.

Traditional IPS security is designed to operate on two levels: firstly, to block known attack vectors; and secondly, to raise the alarm if it sees any attacks spreading inside the protected network environment.

With AET attacks, not only do the attacks bypass the IPS platform, but they do so silently and unnoticed. It is my contention that IPS vendors need to smell the coffee when it comes to AET attacks, and it is important for vendors and their clients to understand that if an attack sneaks past the IT security defences of an organisation, it negates the reason for having the defences in the first place.

Developing a cost-effective IT security strategy is more about applying your existing resources more efficiently. Before an IT manager goes down this path, there is a need for a comprehensive risk analysis and the classification of the organisation's data, before he sets about reducing its risk profile.

Only when these two processes are complete should the competent IT security manager start the planning stages of a multi-layered IT security process. This planning process is not as daunting as it might first appear because, just like packet analysis, it can be broken down into a number of simpler stages, which should be reviewed against the backdrop of the need for a cost analysis to be performed.

This is an important facet of modern security planning which many security professionals overlook, since they perceive costing issues to be a financial issue, rather than an IT one. Unfortunately, this means there is a risk of a financial professional making a decision which would be much better made by an IT professional – it overlooks the need for a teamwork approach to the development of more effective IT security strategies and planning processes.

We believe planning is everything when it comes to tackling the problem of an increasingly hybrid flow of hacker and cyber criminal attacks against corporates. This is particularly important if organisations of all sizes are going to raise their security game and so better defend against the problem of attacks that use advanced evasion techniques to subvert existing IT security defences.

Ash Patel, country manager for UK & Ireland at Stonesoft


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events