Published: 02 Dec 2013
Threat detection has moved beyond signature-based firewalls and intrusion detection systems to include newer technologies that monitor content and communications. These tier-two technologies are not included in security budgets, however, for many reasons. The primary one: These newer systems and services -- security intelligence, threat forecasting and modeling, breach detection systems, forensics -- are excluded due to a myopic focus on conventional best practices or outdated regulatory compliance.
Security at the highest level can be broken down to people, process and technology. The people and process requirements are going to be different depending on company revenue, industry vertical and geographic location. However, security technology and threat detection, for the most part, have remained relatively consistent and static across most industry verticals, with the inclusion of tier-one security technologies. These technologies are considered the foundation of security best practices: firewalls, antivirus, intrusion detection/prevention systems, secure Web gateways, messaging security, VPNs and security information and event management.
Tier-one security technologies are fundamental to any security architecture, but we have been using them for 20 years -- and antivirus for almost 30 years. It's time to start adapting and embracing new technologies. (And what I mean by new technologies is not a known technology with "next-generation" in front of the product category.)
Frankly, we need "now-generation" technologies, and these network security appliances and services fall into tier two. (The concepts of tier one and tier two security technologies were introduced in Blackhatonomics, a book I coauthored with Will Gragido, Daniel Molina and Nick Selby). These concepts illustrate a distinct paradigm shift within the security industry and, at the same time, address a fundamental misconception in security best practices.
Why enhanced threat detection matters
The threat landscape is dynamic and consistently adapting to new methods of exploitation. One of the largest gaps with tier-one security technologies is their inability to stop unknown malware, or even notify you when you have been successfully breached.
The common misconception regarding tier-one security technologies is that the appliances and software claim coverage for malware, but the level of depth in coverage can be questionable depending on the security vendor. One security vendor that will remain unnamed claims zero-day coverage for hundreds of unknown vulnerabilities. If you carefully look at its filter set, you'll find that the majority of its zero-day filters are disabled by default. It's a great marketing spin to have zero-day coverage, but if it's not turned on by default, how is that helping you stay ahead of the threat and reducing your risk?
Most tier-one security technologies protect you against known threats. A great example of this is Microsoft. The Windows behemoth releases security patches in the second week of every month on Microsoft "Patch Tuesday." The great thing about Microsoft is that it collaborates with security vendors that are members of its Microsoft Active Protections Program. These vendors receive the vulnerability information shortly before it's released to the public. This gives the vendors time to create filters and signatures to identify a known vulnerability.
The issue, however, is the ability to identify unknown malicious content in transit or on the asset being targeted. The next step is to determine if the attack was successful. Most tier-one security technologies fall short in providing these much needed capabilities.
Some tier-one security devices, such as intrusion prevention systems, lack the ability to keep the states of a transaction because they are performing multiple operations to validate if the data flowing through the IPS matches a particular filter/signature or pattern. Furthermore, some systems lack the ability to parse compound documents such as PDFs or Word documents that contain malware. Understanding weaknesses contained in the products that are defending your corporate infrastructure will hopefully make you re-think your security strategy.
Before enemy threats become real
The goal of any security strategy is reducing your overall risk. It's important to understand that there is no silver bullet to mitigate 100% of all threats. The Chinese military classic, The Art of War, is commonly quoted within the security community: "If you know your enemies and know yourself, you will not be imperiled in a hundred battles…" We know the enemies well and their methods for evading detection. The "know yourself" part is somewhat lost in translation; most of us are focused on adding security countermeasures, which are not cookie cutter for every corporate infrastructure.
Filling the gaps with tier-two security technologies, like breach detection systems (BDS), is an excellent way to reduce your risk of the unknown. The key capability of BDS is that it is attack-surface aware. BDS can detect the initial drop of a malicious file or the command and control communication of an unknown piece of malware. These systems are deployed at the network perimeter as a network appliance or as software that is loaded on an end-point asset. They use multiple identification vectors such as IP address and domain reputation data, pattern matching, heuristics, flow monitoring, browser emulation and operating system behavioral analysis at the network layer or host. Figure one illustrates the results of a vendor in our BDS testing earlier this year. It conveys the product's ability to identify two aspects of successful malware delivery through HTTP.
It's important to understand there's always going to be a patient zero (first infected asset) with any piece of unknown malware. BDS allows you to identify the patient zero along with the corresponding intelligence to remediate other assets on your infrastructure that were infected by the initial detection of malware. This is absolutely a common defense in-depth approach, essentially layering additional security to close the gaps left open by other security technologies.
However, defense in depth is somewhat played out. Think of it as "confidence in depth" using now-generation technology (instead of next-generation products and services). My advice is that you start planning for the inclusion of enhanced threat detection offered by tier-two security technologies in your budget cycle. Start by doing a proof of concept and testing some tier-two systems within your infrastructure.
The threat detection technology, maturity and scalability of these systems vary by vendor. Some areas to consider include whether the system requires network or endpoint deployments, or some combination. If it uses sandboxing, is the data sent to the cloud, and if so, can that functionality be turned off? Is the system able to detect pre-existing breaches as well as malware introduced through side channels? Even if a vendor makes these claims, it's important to verify that the technology works as advertised.
At NSS Labs, we have thoroughly tested this technology and believe it offers a solid addition that is complimentary to existing security infrastructure. While adopting tier-two security technologies within your existing security infrastructure is a solid approach to countering persistent and unknown threats, the cost is not trivial. These types of capital expenditure procurements need to be planned well in advance of the company's fiscal year budget cycle.
About the author:
John Pirc is the research vice president at NSS Labs. A security intelligence and cybercrime expert, Pirc is the co-author of two books, Blackhatonomics: An Inside Look at the Economics of Cybercrime and Cyber Crime and Espionage. Prior to his role at NSS Labs, Pirc was the director of Security Intelligence at HP Enterprise Security Products, where he led the strategy for next-generation security products. Follow him @jopirc.