ZIFFPAGE TITLEStep NoBy John Moore | Posted 2006-05-15 Email Print
New threats to your computer infrastructure emerge every day. Baseline's Security Survival Guide provides tips and techniques to help you safeguard your organization.. 1: Detect the Initial Attack">
Step No. 1: Detect the Initial Attack
With all the threats floating around in the cyberjungle, how do you sniff out a serious I.T. security breach? Best defense requires a mix of technology muscle and human interpretive skills. Detection systems are essential tools, but it's up to professionals to make some informed distinctions.
Guerrino says his bank's incident-response team sizes up threats based on some critical calculations: the probability of imminent attack, the probability that an attack will succeed once attempted and the potential damage of the attack if it proves successful; the location of the potential targets, the host operating systems and their associated vulnerability to the attack; and the sensitivity of the data residing on affected devices.
What gives an organization the best chance to safeguard itself? The critical elements include multiple levels of traditional and emerging security monitoring tools; an analysis system capable of crunching copious amounts of event data; and the ability to process observations from employees and customers.
"Security [today requires] a layered approach," says Payne of iDefense Security Intelligence Services. "There is no silver bullet."
Firewalls and intrusion-detection systems are the old reliables of detection technology. Standing at the intersection of internal networks and the public Internet, firewalls are the established first barrier to external attacks. Intrusion-detection systems, which joined the security force in the late 1990s, monitor networks for suspicious activity. Intrusion-prevention systems go a step further, monitoring traffic and then initiating an automated response, such as dropping a particular packet of data.
Old-school intrusion-detection systems identify threats based on the signatures of known attacks. But some new threats are too nimble for that: So-called "zero-day" attacks occur at the same time a vulnerability is discovered, leaving no time for the creation and distribution of signatures.
To address this, security teams have supplemented signature-based systems with behavior-based detection technologies, which establish a baseline of normal network traffic. The systems then search for anomalous patterns-say, traffic coming from a network at a time when no one should be using it-helpful in flagging previously unknown types of attacks.
Guerrino calls zero-day exploits "our biggest concern." In response, Bank of New York deploys hundreds of intrusion-detection and intrusion-prevention sensors that record events on a daily basis. Its intrusion-detection/prevention systems shield the bank from the vast majority of exploits, and only a fraction of the events warrant a security-breach investigation, Guerrino says.
The University of Georgia also uses an intrusion-detection/prevention combination, says Stanton Gatewood, the school's chief information security officer. The university operates a Security Operations Center that monitors its intrusion systems around the clock and also minds firewalls, virtual private networks and other security products.
Monitoring systems generate oodles of data on potentially disruptive security events. Intrusion-detection systems, for example, deploy multiple sensors to scan incoming data packets and flag malicious traffic, creating a log of security events. A sensor covering a single network segment may generate 50,000 to 100,000 alerts in an hour, says Sam Curry, vice president of eTrust threat management solutions at CA.
To find events that are truly cause for alarm, organizations must comb though thousands, if not millions, of snared signals. I.T. security departments "need some way to filter [events] to get them down to a more manageable level," Guerrino says.
Security experts refer to the parsing of this information for analysis as "correlation."
Before he or she gets buried under a deluge of security event logs, correlation presents a security analyst with a short list of items to consider. Security information and event management software uses correlation engines to help connect the dots of security events.
"A single event in and of itself may not mean anything, but aggregating with multiple data points can signify something more sinister," says Speare, the group vice president and corporate information security officer at M&T Bank.
Speare says automated tools with intelligent correlation are helpful in identifying phishing attacks, for example, in which a perpetrator sends e-mails claiming to represent a legitimate business and directs recipients to a bogus Web site where they are asked to submit Social Security numbers, credit card numbers or other personal information. The e-mails and Web site use authentic-looking business logos to lull the recipients into a false sense of security about divulging information.
Speare says people who launch phishing attacks tend to be slow and methodical. Someone planning to spoof a banking Web site may visit the legitimate site to pull an image, return several hours later to pull another, and come back once more after that to obtain a third. The fact that images were obtained over an eight-hour period, amid a multitude of other events occurring during that span, may not mean much, Speare says. But filter those events through a correlation engine, and you can put those pilfered images into context-for example, discovering that the pilfered images were downloaded via the same class of Internet Protocol addresses.
M&T Bank uses NetForensics' Open Security Platform security information and event management product. Tracy Hulver, senior director of product management at NetForensics, says customers can use the company's products to "uncover patterns that native security devices may not uncover."
"There's a sea of stars out there that have to be connected to find the constellation that matters," says CA's Curry, whose company also markets a security and event information management product.
Bank of New York first correlates events logged by each detection method-intrusion detection, intrusion prevention, etc.-and then correlates across the different product sets. It's at this second, higher level of correlation that the bank's security group may issue an alert. At this stage, for example, it may recognize that the same kind of exploit is targeting two different Bank of New York locations from the same source network, Guerrino explains.
But before sounding the alarm, the security analyst monitoring the firewall/intrusion-detection/intrusion-prevention system confers with his or her manager and network operations personnel to discuss the severity of the incident. Remediation may take place here. Only the more serious incidents move up the chain.
Security groups must be wary of false alarms. New York-Presbyterian Hospital, for example, battled a false positive rate of more than 15% with the intrusion-detection system it had installed, says information security officer Soumitra Sengupta. The hospital has since purchased a behavior-based security appliance from CounterStorm that Sengupta says has minimized the problem.
Keeping People Alert
As necessary as technology-based detection systems are, be alert to clues from users and customers, who may give you a hint something's amiss even before your software does.
Calls to a corporate help desk are as likely to signal the onset of a denial-of-service attack as a security alarm, says Barry Miracle, global security practice leader at BearingPoint, because such attacks can "outstrip the ability of your tools to respond."
In these attacks, Miracle explains, the time it takes security staff to scrutinize intrusion-detection reports for false alarms works against you. By the time an incident is tagged as genuine, the phones already may be ringing.
A company's network operations center might also pick up an early distress signal. "Some problems will get reported as a network or a systems issue so it gets to them first," Guerrino added. Callers' complaints about a perceived network performance issue may turn out to be caused by a new Trojan or worm upon examination. That scenario usually plays out for threats never encountered before, Guerrino says.
A security manager who finds a new threat may consult with an antivirus vendor, security service provider or computer security forum to alert the community and determine the type of attack or malware encountered.
Early tips that something is awry also come in from business partners. Dave Morrow, chief security and privacy officer for Electronic Data Systems Corp., describes one scenario: Company A gets a call from a business partner, Company B, reporting an attack that appears to originate from someone on Company A's network. Company A investigates and finds that Company B was indeed hacked via Company A's network. But the culprit turns out not to be a Company A employee, but an intruder who broke into Company A's network from the Internet and then attacked Company B. Morrow refers to this process as "looping." Given that "businesses are so much more of an ecosystem," he explains, a partner may well "see something that will be traced back to you."
Sometimes, the first indication of a security violation may come from a customer you didn't even know you had.
The University of Georgia's Gatewood recalls a case a few years ago of a student who used the university's computers to sell software on eBay. The school was unaware of the violation of its security and acceptable-use policy until it fielded a complaint call from a buyer.
"One of the folks who purchased the software got upset ... and called the institution and wanted money back," Gatewood says, noting the buyer objected to the "cheesy CD cover" and general lack of professionalism.
Dealing with a community of intelligent, creative students who arrive on campus with a small data center's worth of computing equipment poses a challenge for university security, Gatewood says.
"I've had quiet days," he says, "but 'quiet' is a relative term."
It's a reminder that insiders, whether student or employee, represent a security threat that may elude intrusion-detection systems, which "typically are deployed to detect events or attempts from the outside coming in," Guerrino says.
However, intrusion-prevention systems can be deployed to monitor internal activity; the Bank of New York uses them that way.
M&T's Speare also notes the use of intrusion-prevention systems for internal monitoring, as well as IPS products from Vericept and Vontu that look for specific types of information, including Social Security numbers, traversing corporate networks, he says.