Advanced malware has increased the need for organizations to expand their security best practices to include tier-two
security technologies. There are many tier-two security technologies; the value of a breach detection system (BDS), which serves as a complementary technology to tier-one security tools, is its ability to detect malware. Specifically, breach detection is able to identify both the initial presence of malware in transit to your corporate asset and the results after it has infected your system or network.
BDS deployment models
Breach detection deployment models are similar to intrusion detection or intrusion prevention systems; depending on which vendor you select, they consist of the following:
- Out-of-band deployments that use port spanning on a switch or network tap that mirrors the data to the BDS;
- In-line deployments identical to those of network intrusion prevention systems; and
- Endpoint deployments that use a client installed on every corporate asset.
BDS is highly successful if it understands your operating systems and approved applications, specifically those applications that touch the Internet.
There are pros and cons to each of these deployment scenarios. It's entirely dependent on knowing your attack surface, network architecture, industry vertical and the data privacy laws that govern the countries in which you have physical data. The last point on data privacy laws is important, because some of the vendors require data that is collected from your network to be sent to their cloud infrastructure. Although these types of questions are not technical, you need to ask the vendor if it processes the analytics on your premises or if the data is sent back to its cloud for post-processing.
The advantage to post-processing in the vendor's cloud is that it uses mass parallel processing and scales the resources as needed on demand -- transparent to you. This approach offers the advantages of scalability. Other vendors, however, are able to provide this same level of effort on your premises. At the end of the day, if all of the processing is done on your premises or a vendor's cloud, both deployment models will inevitably arrive at the same answer: the identification of unknown or known malware based on previously known samples or something entirely new.
Understanding your attack surface
Knowing and understanding your attack surface is the most important aspect of your corporate infrastructure. BDS is highly successful if it understands your operating systems and approved applications -- specifically, those applications that touch the Internet -- as this is the main vector that the adversary uses for exploitation. This is a very important task, as you need to defend against what's relevant to your operating environment.
The ultimate pathway into your infrastructure is through the users that operate within it, both on-premises employees and those who are remote. It's important to disable split tunneling for VPN users who are remote; otherwise, the investment you make to detect malware will be useless for remote workers. If disabling split tunneling is not possible, I suggest you look into vendors that offer an endpoint BDS client.
This primer should get you started in selecting the right BDS and give you insight into the threats that are applicable to your organization.
John Pirc is the research vice president at NSS Labs Inc. A security intelligence and cybercrime expert, Pirc is the co-author of two books, Blackhatonomics: An Inside Look at the Economics of Cybercrime and Cyber Crime and Espionage. Prior to his role at NSS Labs, Pirc was the director of security intelligence at HP Enterprise Security Products, where he led the strategy for next-generation security products. Follow him @jopirc.