Making security scale: Why you're probably not ready to secure mobile and cloud
Author: David Braue
The explosion of mobile devices may be creating new learning and business opportunities in large school and business environments, but without a suitably matched security platform those devices are opening up new vulnerabilities that will end up creating nothing but headaches for administrators.
That's the warning of David Wigley, who has worked with many of the largest organisations in Australia to bring high-grade content filtering and malware detection capabilities to school systems, Internet service providers and other large organisations that need to be able to apply security policies consistently at massive scale.
As CEO of a Canberra-based security developer, Wigley has helped grow the company from an Australian success story into a global security powerhouse with tools protecting more than 10 million seats globally; it branched into the US market a year ago and is seeing “phenomenal” growth in that market, he says.
Yet the company's biggest asset is its design: ContentKeeper was a pioneer in development of closed-loop collaborative filtering technology, which builds on bridge-based technology to rapidly assimilate crowdsourced security alerts to protect high-volume environments running multiple gigabits per second of aggregate data.
A key element of this success comes from the idea that content analysis and blocking needed to be able to analyse traffic on-network rather than diverting it through a separate gateway. This led to the bridge-based architecture that, Wigley says, has delivered the kind of scalable performance that gateway-based alternatives struggle to match.
“This approach gives you a 10:1 processing advantage as far as looking at packets flying past on a network,” he explains, noting that this early speed advantage has become even more important as the number and type of devices to manage has expanded in recent years.
That management has also become more difficult in mobile environments such as schools, where traditionally capable students have proved highly effective at circumventing protections built into their mobile devices. To ensure that acceptable levels of security are maintained in such environments, a more inescapable method of security – inspecting all incoming and outgoing traffic on the network regardless of its source – is becoming the preferred option.
“Mobility is driving the market,” Wigley says, “but most of the solutions out there can be disabled by educated users. Filtering becomes a bit of a joke, really. We're the only people that have a tamper-proof solution for iOS: it's critical that the kids can't take their devices home and change settings to do what they like.”
Securing the cloud
With cloud security now adding to the expanded demands of securing the mobile environment, the need for fast and unobtrusive filtering capabilities has only increased further.
Securing the flow of data to and between these domains, Wigley says, requires a unified defence mechanism that allows customers to maintain the same level of security protection no matter what device or service they are using.
“The future is a hybrid approach,” Wigley says. “Some will have mobile suites and some will use a cloud-based service. What customers really want is to wander from one environment to another seamlessly.”
Making that happen while preserving security, however, isn't without its share of complexity. Widespread use of cloud encryption, in particular, will cause challenges for security tools that cannot effectively scan the contents of encrypted packets traversing their filtering infrastructure.
Given that today's malware authors are better than ever at faking the digital certificates supporting secure communications – and that cloud providers like Google and Yahoo are rapidly mandating the use of SSL (Secure Sockets Layer) encryption – Wigley warns that access to this traffic is an essential capability for organisations to mount effective security defences.
“If someone wants to make new malware these days, the first thing they do is to go create an SSL tunnel,” he explains. “This lets them establish tunnels and send stuff straight to your desktops. If your security software isn't looking inside those tunnels, you can't see what's going on. The more SSL you have on the network, the bigger the blind spot.”
Sandboxing technology offers another layer of protection, allowing the security perimeter to contain detected threats in a protected environment where the behaviour of malware can be both controlled and analysed. Also important in the mix are “sensible” policies such as restricting direct access to external systems.
Given that there are now so many modes by which organisations can be attacked, companies without a single, unified, overarching defence may find themselves struggling to keep up with the rapidly growing and changing malware threat.
And while a highly-scalable security architecture can help even the biggest organisation keep up with ever-bigger data transfers, Wigley concedes that maintaining an effective security barrier is an unending process. “Nobody has the full answer yet,” he says.
“It's a matter of using as many techniques as you can. Effectively, you're just building walls. And the more techniques you use, the higher the wall is and the harder it is to get in. You can't cover every single thing in this area – but you can do a pretty good job.”
Smarter DDoS attacks require smarter DDoS defence
Author: David Braue
You may have once thought distributed denial of service (DDoS) attacks only happened to companies big enough or important enough that someone would bother disrupting their services. But with DDoS frequency and intensity increasing, a security expert has warned, it's now imperative that every CSO consider how it would handle a DDoS – and introduce pre-emptive measures to deal with them.
DDoS attacks have evolved rapidly over the years. While early efforts were used mainly by hackers seeking to spoof a target system – using the DDoS to bring down the real system while the second site took its place.
Today's DDoS landscape targets a broader range of targets. DDoS capabilities are more casually available through the use of DDoS-as-a-service offerings that allow attackers to rent networks of compromised systems. Their intensity has increased dramatically over the past year due to widespread adoption of reflected and amplified attack techniques that exploit weaknesses in ubiquitous Internet protocols to unleash an avalanche of useless data at targets.
These changes, warns F5 networks worldwide security evangelist Preston Hogue, reflect the new threats inherent in a DDoS landscape that is getting “much more sophisticated” even as faster broadband services increase the scale and intensity of DDoS attacks.
Broadband in developing countries, in particular, was driving growth in DDoS attacks sourced from those regions.
“A lot of these countries didn't have the capacity to be able to launch those attacks,” Hogue says, “but emerging countries are adding more computers and more capabilities on a daily basis. And in developed countries, we are now doing 10Gbps to households in some downtown areas. Imagine the future, where an attacker could take over 10 houses close to a company and own the pipes of almost any company in the downtown area.”
Even with today's broadband services, the sheer volume and length of many attacks can eventually prove overwhelming even to large organisations with incoming traffic filtering in place, he warned.
Attackers are sending repeated enquiries modelled after traditional HTTP requests “so none of these devices have a clue”, Hogue warns, noting that others utilise SSL encryption that is likewise carried through network defences and defence platforms are none the wiser.
“DDoS has always been a way to manipulate and take advantage of the way a protocol was written, and to abuse it,” he explains, “and the attackers have become smarter in the way they do the attacks.”
“Some attacks,” he continues, “are in such a prolonged state that even with the traditional defence mechanisms that companies had on premises and in the cloud, all their applications were down. And who knows how many protocols in applications have been created out there that have these flaws?”
The hybrid defence
Cloud-based DDoS defences are redefining conventional security defences, offering ways of detecting, intercepting and blocking DDoS attacks before they get out of control. Yet while there is value in moving DDoS protection away from the enterprise, it is also important to tie it to conventional on-premises defences.
The result of this conflicting requirement, Hogue says, will increasingly be the emergence of hybrid security solutions that combine on-premises tools for endpoint, access control and other security tools with cloud-based services such as those for blocking DDoS attacks.
“You clearly don't want to handle everything on premise, but don't want to handle everything off premise either,” he says. “If it's a volumetric based attack, the further outside the data centre and closest to the attacker that you can handle it, the better.”
Yet while a hybrid model can satisfy both requirements, it must also offer a unified reporting capability that allows organisations to readily see what kinds of threats they are facing and how those threats have been handled.
This is difficult enough with two different solutions, but as cloud-based security services continue to gain currency organisations will face the very real threat of co-ordinating their protections with those of other systems as well. This reporting will also need to be tied back to clear metrics around usage of managed security services and the effectiveness of their defences.
Such capabilities will, Hogue says, come in time as DDoS and other cloud-hosted protections come into more common usage and vendors develop increasingly flexible, common platforms addressing both on-premises and cloud-hosted solutions.
“Long term, you're going to see a consumption model in the full hybrid environment,” he explains. “Customers only want to pay for the full solution, and business models are already getting developed to ensure that these can be reasonably affordable to customers.”
Those models will necessarily extend beyond just covering security solutions, instead wrapping DDoS and other security into the rosters of solutions that are available to support deployment of hybrid computing and security environments.
The easy availability of such solutions will be particularly important as a growing number of organisations come to realise that DDoS protection has become an essential part of the modern enterprise defence. Yet many, Hogue says, are still learning this lesson the hard way.
“You wouldn't believe how many calls I've been to where customers aren't listening,” he explains. “Then they get hit by a DDoS attack and I'm back in front of them talking to them again. We're at the point where DDoS is a well known, established risk – and people are starting to build it into their risk profiles. DDoS is the new spam.”
Don't give up on the security fight just yet
Author: David Braue
Many companies are coming to see security as a form of damage control rather than prevention – an implicit admission that cybercriminals have outflanked and outclassed them – but one security innovator is still working hard to convince customers not to give up on the idea that attacks can still be prevented.
“There are many organisations out there that think we've lost, and that we should remediate any damage as quickly as possible,” Nir Zuk, founder and chief technology officer with security firm Palo Alto Networks (PAN), explains.
“But I just cannot accept this. It does't make sense, and we work to give customers some hope. They have to do something about these attacks, but their goal from the get-go should be to prevent the attacks. I'm going to keep fighting and telling them that we can prevent attacks – and that should be our goal.”
It's not the first time Zuk has dug in while fighting conventional wisdom about security attacks: his long history at security innovators Check Point Software Technologies, OneSecure and NetScreen Technologies saw him exploring a range of new approaches to long-established security problems.
As a co-founder of PAN, his entire mission statement was about taking a new approach to security – based on observing changes in network behaviour patterns rather than malware signatures – and the market has responded as forward-looking customers reach out for new security options.
The company is now growing at around 50 percent year on year, outpacing the overall security industry by a ratio of 5:1. Growth is particularly strong in Australia, where a strong governance-fed appetite for data security has driven growth that Zuk says is “three-digit percentage” year on year.
Most of that business comes from customers who have given up on their previous security solutions, implementing PAN solutions as a replacement rather than an augmentation to their existing environment.
This buoyant growth has been supported by the company's 2014 acquisitions of endpoint security vendor Cyvera and advanced threat detection specialist Morta Security, which have each contributed new technologies to bolster the range of new technologies that PAN can bring to bear on the malware defence.
Tightening the net
By filling out its security offering, PAN is working to be able to provide customers a single, unified security platform that extends from on-premises to cloud-based applications with a single security interface.
This type of seamless security framework has become a common goal for today's customers, says Zuk. “Cloud is an extension of the enterprise,” he explains. “And what customers really want to do is to run applications on premise, or through a cloud provider, or use a SaaS provider – and they want it to be seamless.”
That seamless capability, in particular, results from having a single security platform that can apply the same level of scrutiny to different types of traffic being carried across different types of channels, from a variety of sources to a variety of destinations.
“We're finding security has to be like that,” Zuk continues. “They expect security in the cloud to be the same as security on premise, and part of the same platform, because you have a better chance of stopping attacks as they happen.”
“Security is only as good as your weakest link, because attackers will always find the weakest link and attack it. So, it doesn't make sense to secure different parts of your enterprise differently. If you do, then by definition one of them will be weaker than the other.”
Tightening the links between various security elements will not only give organisations better visibility into their security profile, but it will also offer a measure of additional control that will help those organisations increase their resistance to existing and new threats.
This, in turn, will force attackers to get ever more-resourceful in their attempts to compromise security – increasing the amount of time and money they need to spend in order to successfully penetrate any given target.
This approach is the best hope for organisations wanting to improve their resistance to outside attack, Zuk believes, arguing that even small improvements in organisational defences can have a dramatic effect on the cost of attacks.
“It may be that you're not going to stop 100 percent of attacks, but this is all about making it more expensive for hackers to attack organisations,” he explains. “By being 10 percent better at defences, you can make it 10 times more expensive for the attacker to attack.”
“Our goal at PAN is to get to a point where we can prevent such a high percentage of attacks that it's going to make sense for our customers to take this approach.”
One critical requirement to making this approach work is positive thinking – believing that there are still ways to block hackers when others say all options have already failed – and another is having the patience to start small and grow bigger over time.
“Once we convince customers that we are right and they give it a try on a small scale, they become a bigger customer,” Zuk says, noting that success at small scale often breeds greater interest amongst increasingly security-conscious business executives.
“That's how we grow,” he adds. “Some people are scared of change and some aren't – but one thing we're seeing is that you cannot go to the board and say 'I'm using the best there is and it doesn't work'.”
“You either get hacked or don't get hacked. Security is becoming a board-level issue, and you either secure the enterprise or find a new job.”