This article can also be found in the Premium Editorial Download "Information Security magazine: Closing the gap: How to decide when (and if) to patch vulnerabilities."
Download it now to read this article plus other related content.
In the security world, we throw buzzwords around like candy at a Halloween party. Anytime a catch phrase gets traction, it seems that every vendor makes a pitch that its product is "unique" or "first" in the new category.
It would be easy to simply write off these categories -- except that sometimes vendors actually have a new solution.
Enter "antiworm" or "worm containment" solutions. They promise new prevention and detection techniques that reduce or eliminate propagating worms and protect networks by weeding out bad traffic.
The first set of solutions is based on anomaly detection, which identifies malicious code based on deviations from known, acceptable traffic patterns. Solutions from Mazu Networks, Arbor Networks, Lancope and Q1 Labs can quickly identify anomalous activity because most worms will spew out traffic and attempt to connect to other hosts. These solutions don't rely upon static signatures or rules, but will kick off an alarm when they see a traffic spike.
Next are those solutions that automatically isolate compromised hosts to contain the worm. Worm propagation often involves random scanning, producing anomalies in network traffic and unfulfilled ARP requests. Silicon Defense, Mirage Networks and Check Point Software Technologies have offerings that isolate hosts or network segments when they detect those indicators.
Here's a perfect a containment strategy scenario: Blaster tore into networks that had an unpatched vulnerability for the RPC service on port 135. Networks running internal anomaly detection could have recognized Blaster spewing tons of traffic and randomly trying to connect to other internal and external machines. The imposed isolation would keep worms from spreading.
Companies like Mirage and ForeScout are taking the containment idea a step further with products that redirect worm traffic to a quarantine area that's similar to a honeypot. Any traffic coming from the honeypot is presumably hostile. The trap buys time for isolating the worm and keeping systems online.
These techniques protect networks, but there's no corresponding solution for hosts -- particularly mobile computers. However, Hewlett-Packard is developing a similar a host-based solution that monitors and manages outbound traffic. The HP software will throttle or choke traffic that significantly impacts large numbers of connections (a worm trait), without affecting legitimate activity. With a Blaster attack, the software would queue suspect traffic for transmission later.
Protection against multithreaded attacks while allowing unimpeded flow of legitimate traffic requires more than conventional, signature-based solutions. It requires purpose-built tools. Are these antiworm solutions "the real deal"? Like any layer in a defense-in-depth scheme, they could certainly help.
About the author:
Pete Lindstrom, CISSP, is a research director at Spire Security.