2012: Next-generation threats need next-generation firewalls
- — 14 June, 2012 09:08
It wasn’t too long ago that security vendors were touting new ‘heuristic’, or behaviour based,analysis as a newfangled way to spot new viruses that were generated by hacker toolkits and didn’t match any known signature on file. These days, however, heuristics are less a luxury than the standard operating procedure as globally connected malware authors spew new threats faster than ever and even the most diligent companies continue to suffer the indignity of successful security attacks.
Recent figures from the Australian Institute of Criminology suggest that cybercrime has overtaken physical crimes like car theft and break-ins, which have plummeted by half or more in the past decade. Cyber attacks reported to the Australian Computer Emergency Response Team (AusCERT), on the other hand, jumped 255 per cent in 2010 compared with the previous year – while the number of compromised hosts notified to AusCERT jumped 296 per cent and the number of sites hosting malware jumped 111 per cent in the same period.
Hackers love new technology: they have already started compromising IPv6 networks, and are turning to new technologies like peer-to-peer (P2P) networking and headless ‘bot’ networks that are increasingly difficult for authorities to trace, much less intercept.
In a word, the bad guys are creative –and they have both obscurity and time on their side. That’s producing longer and longer odds for corporate security managers who just want to keep the baddies out so the business can get on with its business.
The threat of malicious attacks is likely to strike fear into the hearts of executives who face growing exposure to increasingly bold hackers unafraid to take on big-name targets like Sony, Stratfor, RSA and Nasdaq – all among the 535 companies, according to the Privacy Rights Clearinghouse, that were penetrated quite publicly during 2011.
In many of those cases, millions of private customer records were compromised — something that’s becoming easier and easier to do as hackers exploit unpatched databases and refine their understanding of attack techniques like SQL injections, which took more than four million websites in 2011 alone. Privacy breaches not only embarrass companies and alienate customers, but they are serious offences under laws in Australia, Europe and elsewhere.
Despite the high-profile threats posed by data loss, a recent survey for the Independent Oracle Users Group found that databases were still not being protected adequately: a quarter of respondents felt it was likely or inevitable their company would have a data breach in 2012, but only 36 per cent said they had worked to protect their applications from SQL injections.
Even worse, 70 per cent take over three months to apply critical patch updates; only 30 per cent said they encrypt sensitive and personally identifiable information; and only 40 per cent of respondents audit their databases for security breaches on a regular basis. For the rest, it could be
weeks or months before they even noticed they had been hacked; in many cases, the first notice of a hack comes when the perpetrators splash it across
Budget at last
No wonder security breaches seem to be happening with more regularity of late: as the targets and the prizes get bigger, so too does the coverage. Heaven forbid the organisation works in government or other potentially unpopular industries: ‘hacktivism’ has become a very real threat that stacks even well-protected targets against the ravages of a determined and resourceful enemy.
Political goals drive a large portion of distributed denial of service (DDoS) attacks, which cripple websites by flooding them with up to 10Gbps or more of phantom traffic; DDoS was named as a significant operational threat by 71 per cent of network operators in Arbor Networks’ recent Worldwide Infrastructure Security Report.
With attacks continuing to rise, there is little positivity coming out of enduser security surveys – except for the optimism of surveys like a recent report by analyst firm Telsyte, which found that CIOs are finally refocusing their security priorities and boosting security spending during 2012.
The Telsyte Australian CIO Information Security Priorities Study 2012, which consisted of 320 senior IT executives, found that growing board and senior-management awareness of security issues – and the potential reputational damage they can cause – has increased the priority of security
remediation. Budgets are higher, and security refreshes are being put onto the front burner for the first time in years as nearly a quarter of Telsyte’s respondents said they are working to change security strategies.
But what will CIOs be buying?
Therein lies the rub: whereas it was once seen as enough to install a brand-name firewall to protect the ingress and egress points of the corporate network, today’s changing usage models have relegated that model to the dustbin of history.
Cloud computing, for example, is putting corporate data and applications outside the firewall – and outside the direct protection of the companies they serve. Virtualisation has changed the structure of the enterprise, putting a new spin on time-honoured security practices.
The rise of mobility and bring your- own (BYO) computing, which is only gaining further momentum with every new smartphone or tablet the likes of Apple and Samsung release, allows many corporate devices to bypass perimeter firewalls altogether. If comparable authentication and security can’t be extended to these new computing paradigms, all the security mandates in the world will be for nought.
CIOs intrinsically recognise this – Telsyte found that around half rated mobile security as being critical or very important – and vendors are rushing to meet the resultant demand.
Security: the next generation
Although vendors’ 2012 product lineups vary, they generally seem to be converging around several common attributes.
First, they are falling into what the industry broadly refers to as ‘next-generation firewalls’ (NGFWs). Compared with traditional port-based sentries, NGFWs have a broader remit and a modular architecture that lets customers mix and match the security capabilities they need.
These might include DDoS detection, intrusion detection systems (IDS), intrusion prevention systems (IPS), spam blocking, antivirus, botnet blocking, advanced persistent threats (APTs), and other nasties; Check Point Software Technologies, for one, offers more than a dozen different software ‘blades’ that
can be plugged into its core NGFW engine. Importantly, those threats must also be blocked from internal sources – a requirement that has become crucial given the rise of Cloud computing and mobile devices.
“The cornerstone of security in 2012 is still a firewall on a network appliance,” says ANZ managing director Scott McKinnell, “but the value proposition is around centralised management of those capabilities, and aggregating technologies onto that platform.”
A key part of the overall NGFW security approach is the addition of a correlation engine that’s able to bring together the data from all manner of individual scanners, then analyse it and raise appropriate alarms based on behavioural anomalies.
This is the old-reliable heuristic analysis done large, and it’s been a major target of organisations such as HP, which has recently ramped up its security practice on the back of several acquisitions that have bulked out its security products and consulting services.
“When a port is being opened and its activity level is different to the norm, that’s almost instantaneous information,” says Chris Poulos, South Pacific general manager for the Enterprise Security Products division of HP Australia. “Logs come in all different shapes and sizes, so if we can ingest logs to be able to speak the same language, it gives us great power to see what’s going on. We’re trying to get the information that really matters.”
With virtualisation now well-entrenched inside the firewall and becoming increasingly common outside of it through the takeup of Cloud-based applications and storage, correlating that information is becoming increasingly important. To this end, next-generation security defences are increasingly
bundling in ever-tighter integration with virtualisation hypervisors, which include APIs that let security tools seamlessly monitor traffic to, from and within virtual machines.
Cloud security, on the other hand, remains a moving target, although vendors are working together to nut out interoperable standards under the guidance of peak bodies like the Open Data Center Alliance (ODCA), which has attracted more than 300 vendor and user members in its first year.
The ODCA offers evolving standards and best practices for Cloud security based around eight usage models for areas like security monitoring, virtual machine interoperability, regulatory frameworks and the like. By using these and similar frameworks to guide your security efforts in 2012, you can
combine both business and technical perspectives on your data security to great effect – as long as you remember that nothing in the security market sits still for long.
“At the end of the day, the threat landscape is moving fast,” says McKinnell. “If you can’t move with a high amount of agility to protect it, having a Nirvana of a solution is useless. Risk is increased by time without action.”
Want to read more from this author?
And many more here