Network security is being redefined to better block data...

Network security is being redefined to better block data raiders

a whitepaper from ComputerWeeklyCW +

Penalties of up to £500,000 can now be imposed for breaches of the Data Protection Act. Many businesses have mitigated the risks of hacking, denial of service and SQL injection through firewalls that allow or deny

access to a network and intrusion detection and prevention systems that recognise and block malware attacks. Yet each year there are millions of new strains of malware and the permeable nature of perimeter network defences is now so widely recognised that even the US military admits it cannot secure its networks. This 10-page Buyer’s Guide to Network Security helps CIOs and senior IT professionals to identify what technology will best provide the additional protection needed against today’s threats.

Contents

A firewall is no defence page 2

The ‘walled garden’ approach to network security does not work for flexible businesses, writes Cliff Saran.

Systems on look-out duty page 4

Patelco Credit Union has redefined its intrusion protection systems and network access control capabilities to reduce the risk of ATM infection, writes Danny Bradbury.

Tackling the threat of data raiders page 7

Gartner analysts Greg Young and John Pescatore look at the capabilities and shortfalls of intrusion prevention systems.

A business case for network security page 9

Penalties of up to £500,000 for breaching the Data Protection Act could increase the business value of security, says Bob Tarzey.

New tools for a new type of threat page 10

Mark Ballard reports on two products that use intelligence and resilience to hunt down intruders on the network.

These articles were originally published in Computer Weekly magazine in April 2010. To print this document, select “Shrink to printable area” or similar in your print menu.

CW Buyer’s guidenetWork seCurity

1

buyer’s guide

We

ste

nd

61/r

ex

fe

atu

re

so

jo im

ag

es

/re

x f

eat

ur

es

2

>>

CW Buyer’s guidenetwork security

The 'walled garden' approach to network security does not work for flexible businesses, writes Cliff Saran

For years, network security has been seen as central to preventing the undesirable outside world gaining access to corporate net-

works. The rationale was that if the network perimeter was protected, hackers could not get in.

IT security managers have used firewalls to define the applications that can access the network by open-ing and closing firewall ports; intru-sion detection to monitor network activity; and intrusion prevention systems to stop unauthorised access. In this scenario, the corporate net-work is treated like a walled garden with access carefully controlled through a strict IT security policy.

Authorised users are given role-

based access to applications and data behind the corporate firewall. New products are constantly being devel-oped and existing ones enhanced to support the changing requirements of modern network security.

DrawbackHowever, IT security group the Jericho Forum has identified a draw-back with taking this approach to corporate IT security. Businesses rely on firewalls to keep the good things in and the bad things out, but this does not reflect how companies now operate.

The use of firewalls to define a hard corporate network perimeter cannot cope with businesses that work with external partners, or pro-

A firewall is no defencevide hot-desking and tele-working for employees. At global engineering firm Arup, for instance, joint ven-tures are part of how the business works. Collaboration with external companies is critical.

“We use site-to-site virtual private networks with access control,” says Mark Judge, group IT security manag-er at Arup. When long-term access to the corporate network is required, Judge says Arup segments its net-work, which effectively creates a walled garden around joint venture projects, providing access for busi-ness partners to a defined area of the corporate network without reducing the overall level of security on the network.

According to Paul Simmonds, a

We

ste

nd

61/r

ex

fe

atu

re

s

buyer’s guide

3

more onlineHow to control abuse of social networking on mobile devices

computerweekly.com/244108.htm

Report: How to tackle secure protocols for wireless networks


In-depth: Quocirca business case for network security


<< chief security officer and founding member of Jericho Forum, “In the future, most [business data] will be outside the organisation, so security must be designed for the internet.”

Rather than making sure the net-work is secure, Simmonds says, “From a purist’s point of view, security is about providing good network quality of service.”

Quality of serviceMaintaining quality of service involves ensuring network applica-tions are not affected when a hacker attacks the network with a denial of service attack, or employees decide to stream the Six Nations Rugby on their office PCs across the very expensive corporate-wide area network.

Computacenter practice leader Colin Williams says businesses are focusing on an application-oriented approach to network security. Specif-ically, he has seen greater interest in universal threat management appli-ances, which combine techniques such as intrusion detection, intrusion prevention and virtual private net-work security, all in a single box.

“Two to three years ago, appliances were not fast enough to run every-thing at the same time,” says Wil-liams, since they needed to check IP traffic at the speed of the network. But with modern unified threat man-agement devices, he says, it is possi-ble to monitor network traffic at “wire speed”, ie without affecting bandwidth.

Network security usually relies on monitoring the front-end (or header) in a TCP/IP packet to determine if it is legitimate.

According to Chenxi Wang, an analyst at Forrester Research, “Header-only processing limits what you can see from packet processing and, hence, cannot detect content-based threats or differentiate applica-tions using common communication platforms like http [web traffic].”

Data monitorDeep Pack Inspection (DPI) overcomes this by allowing network managers to monitor the actual data passing over the network. Instead of simply banning staff from using applications such as Skype, Gmail, Hotmail or Facebook, DPI can determine exactly what information is being sent out of the corporate network.

However, DPI has many limita-tions. First, it is a complex and often expensive piece of technology. The risk of wrongly categorising legiti-mate traffic is high (false positives) and many experts regard DPI as an intrusion of people’s privacy.

“DPI is very much a hot potato,” warns Rhys Williams, communica-tions partner at international law firm Bird & Bird. “There may be a number of perfectly legitimate rea-sons why operators might wish to implement DPI technology on their networks, for example network man-agement purposes.

“There may well, however, also be

Surveillance society: deep packet inspection – where data is monitored over the network – may intrude on people’s privacy

RIPA [Regulation of Investigatory Powers Act 2000] and DPA [Data Pro-tection Act 1998] implications in any analysis of data packets,” he says.

“There is a difference between monitoring a network to ensure that traffic shaping is as efficient as possi-ble and examining data packets for other purposes, such as blocking or prioritising traffic for commercial purposes. A number of players have expressed concerns over DPI as a potential invasion of privacy.”

Furthermore, Williams adds, “Oper-ators will need to be very careful to ensure that any such use of DPI com-plies with both RIPA and the DPA.”

But despite some ISPs’ love of DPI to reduce piracy, it may not be the answer you seek. Data has to be pro-tected. Today this means strong data encryption, audited access to confi-dential files and locked-down PCs. In such an environment, network secu-rity will still have a role.

Simmonds at the Jericho Forum

“A number of players have expressed concerns over DPI as a potential invasion of privacy”

believes the future of network security will involve packet-level network security. In other words, the network will understand what proto-cols are running, stopping anything it does not recognise. ■

buyer’s guide

www.computerweekly.com/244108.htm



4

>>

CW Buyer’s guidenetwork security J

ohn Shields did not want to go through the same problem that his organisa-tion experienced in 2003. The senior vice-president

and chief technology officer at US-based Patelco Credit Union remem-bers the chaos that ensued when an employee bought an unauthorised laptop into one of his branch offices and plugged it into the network.

The worm that had been hiding on the hard drive spread rapidly to other machines on the network. The most visible sign of damage was that several automated teller machines (ATMs) in the company’s network of 46 branches became infected, bring-ing customer service to a standstill.

“The tech guys had to come out and totally reformat the systems,” he

says. “Since then, the suppliers have learned a lot, and they put firewalls on the ATMs themselves, helping to make them more secure.”

Secure combinationNevertheless, Shields has been look-ing for a combined network access control (NAC) and intrusion preven-tion system (IPS) ever since that would help to secure his countrywide network of branches and datacentres. The company recently upgraded to a newer version of CounterACT, an appliance from ForeScout that com-bines both functions, in a bid to better secure its systems.

The IPS capability in the CounterACT device complements the network access control capabilities in the appliance by blocking attacks

based on an analysis of device intent.Called Active Response, it detects

reconnaissance performed by self-propagating attacks and responds with doctored information. When the self-propagating attack tries to use this fake network reconnaissance data, the device takes it as proof of malicious intent, and blocks attack-ers before they gain access to the network.

Patelco has seen a rapid change in its use of IT. It did not have much in the way of computing technology when it was set up in 1936 and it had just $500 in assets. Today, the credit union has assets totalling $3.7bn and more than 290,000 members. It serves the employees of more than 1,000 businesses throughout Califor-nia and the rest of the US.

ojo

ima

ge

s/r

ex

fe

atu

re

s

Patelco Credit Union has refined its intrusion protection systems and network access control capabilities to reduce the risk of ATM infection, writes Danny Bradbury

Systems on look-out duty

buyer’s guide

5

Several ATMs became infected, bringing customer service to a standstill

<<With stakes so high, Shields learned from the 2003 incident, and took on Fore Scout’s product to protect systems.

Too intrusiveAfter installing its original CounterACT appliances five years ago, Patelco had been using another product to try and assess the patch levels on machines that were plugged into the network, because this was difficult to do with the previous ver-sion of CounterACT. However, the other product was too intrusive and had caused some end-point devices to crash, says Shields.

“We have a lot of different products that we attach to our corporate assets, but we were looking for a solution that would detect something that was plugged in which wasn’t approved, and isolate those. This product worked really well for that,” he says.

If someone plugged their own laptop into the network at a branch location, the previous product may not have been able to detect it.

In addition to its IPS capabilities, the new version profiles all of the devices on the network, so there are no “unknown unknowns”.

Patelco has two main datacentres that monitor its 56 locations. The primary datacentre is located outside of Sacramento, California, with the back-up facility in San Francisco. The datacentres have two primary connections. One is an MPLS link that also connects to the various branch locations, and there is also a point-to-point 100mbps link. Inside the datacentres, the firm uses mostly Windows Server 2003, although it is gradually moving to Windows Server 2008. It also runs HP-UX on a main-frame system.

Networking-wise, Patelco uses Cisco 6504 switches in the datacen-tres, which are used to divide the cor-porate network into virtual local area networks (VLans), including a dedi-cated VLan for voice over IP (VoIP) connections to the datacentres.

“We are a hub and spoke network, and all the branches have a connec-tion to both the main datacentre, and to the back-up, via the MPLS net-work,” Shields says. The CounterACT IPS/NAC device hangs off the Cisco switches to monitor traffic.

“So if a branch were to access the internet, it would come back through

the MPLS network and out again, and the device monitors whatever is going on,” he says.

Although the CounterACT appliance monitors the devices on Patelco’s VoIP network, the company controls access to the VoIP VLan

people bringing in their own laptops from home and plugging them into the network.”

Asset controlThe appliances are used for asset control. The CounterACT switch notices when a new device connects to the network.

It looks to see if it is a domain computer. If not, it will check to see whether it is a workgroup machine and whether it can be logged into using workgroup passwords. If not, it is classified as unknown, and can then put it into a quarantined VLan

Best practices for network securityDo not hand over total control until you are readyl Even the most helpful devices can occasionally overstep their bounds, and intrusion prevention is a fine art. l Include an element of manual intervention so that you can avoid false positives.

Refine your rulesl New threats emerge every day, using new exploit characteristics. l Ensure that the rules in your intrusion protection system reflect the most up-to-date conditions online.

Complement IPS with network access controll For maximum intelligence, you need to understand what is connecting, along with what traffic you are sending.l Network access control capabilities can help you to avoid rogue machines connecting to the most sensitive parts of your network.

Route all your traffic centrallyl An intrusion protection system is only as good as your routing policy. If you let end-points punch out to the internet through undocumented, unmanaged routes, the system may not see their traffic. l A hub and spoke network infrastructure ensures that your digital sentries see everything.

Use virtual Lans effectivelyl Carve your network up into logical segments that can be used to compartmentalise your traffic. l Keep low-latency, mission-critical services such as voice over Internet Protocol on their own virtual Lans, so that they will be untouched by traffic from other categories of device. l Maintain quarantined virtual Lans that can be used to hold untrusted or suspicious traffic from devices that you do not know.

via the firewall, and it rarely takes action on that network because the VoIP system is heavily locked down, Shields says.

As for the rest of the network, the company largely operates a thin-client environment, but each branch has some “fat” Windows PCs. Shields estimates that each branch has 50 to 60 devices, including routers and printers. Overall, the devices watch about 2,500 devices on the network.

“The thin clients themselves we are not too worried about, and we have locked down most of the PCs,” he says. “The real danger to us is

buyer’s guide

>>

6

and granted limited access to the network.

In addition to identifying and isolating unauthorised computers, the system’s IPS facility monitors for suspicious traffic and is able to alert administrators to potential problems. Patelco also drills down to examine network traffic at the individual packet level to look for suspicious activity.

“The things we look for are devices that are trying to talk to multiple end-points,” Shields says. “It also detects SMTP requests, so we can categorise approved SMTP servers and issue alerts for devices not in that list that are trying to send SMTP traffic.”

Although the company upgraded to the latest version of the CounterACT appliance in a single day, Shields says the deployment was not entirely without its issues. The company still faces some problems with false posi-tives, he says, adding that his team has to create some whitelists to allow certain devices into the right VLan. “We have some of those issues even with printers of ours that don’t fit the relevant category,” he says.

The false positives have made Shields wary of giving total control to the CounterACT system. Although ForeScout’s literature boasts that 100% of customers block their traf-fic automatically, he says he has not turned on the feature that can block

a device based entirely on the switch port that it connects to.

“It can block machines at the port level. It talks to the ports that the machine is hooked into, so it can send a change to the switch and block that port completely,” he says. “However, we have not turned that on because we worry that there will be some legitimate traffic that it might block,” he says.

Similarly, Shields has to refine the system so that it does not cause unpatched devices to launch Windows Update automatically and update their patch status or anti-virus definitions. “We don’t want it to happen automati-cally on all devices,” he says.

Patch managementAs with any mature IT operation, change management has to play a sig-nificant part in Patelco’s procedures. Some mission-critical devices can-not simply be updated with security patches automatically without being tested, in case it brings down the rest of the system.

ForeScout also lags behind Micro-soft when it comes to maintaining a list of patches that should be issued for Windows systems, according to Shields. “ForeScout will update its appliance two weeks after Microsoft comes out with the latest patches,” he warns. “We would like to see that timeframe shrink a little bit.”

Since upgrading the CounterACT system, the biggest benefit for Patelco has been better asset management, Shields says. The latest version of the appliance, which has been installed at the back-up datacentre in addition to the primary site, detects the cur-rent operating system in addition to the patches that have been applied, enabling it to build up a sophisti-cated picture of the active end-points on its network.

The futureThe credit union still needs to reach the point where the appliance can be relied on to automatically block types of traffic, such as an unauthor-ised computer, without some form of manual interaction. “We are still being tentative about that, because we do not want to block things that should be allowed,” says Shields.

But by gradually updating its appliances to newer versions with enhanced device recognition func-tions, and by iteratively refining its lists and trusting the CounterACT IPS capability to block more traffic without human interaction, Patelco is hardening its infrastructure.

As we have seen, that has a sub-stantial effect on its customer service because the last thing a credit union wants to have to tell its members is that its cash machines are infected with a virus. ■

PATelco creDiT Union’S neTwork

more onlineReport: The 11 security commandments


Analysis Tool: Security Software ROI calculator


Analyst report: Ovum – secu-rity trends to watch in 2011


How to tackle information access policy management


buyer’s guide

<<





7

buyer’s guide

Tackling the threat of data raidersGartner analysts Greg Young and John Pescatore look at the capabilities and shortfalls of intrusion prevention systems

The network intrusion pre-vention system (IPS) market subsumed the intrusion detection system (IDS) mar-

ket several years ago. IPS contains all the detection features of IDS, with two critical areas of improvement.

Intrusion prevention moves beyond simple attack signature detection to add vulnerability-based signatures and non-signature detec-tion capabilities.

Network IPS sensors operate at wire speeds to enable in-line auto-mated blocking and attack handling. Network IPS adds “block attacks and let everything else through” security enforcement to the “deny everything except that which is explicitly allowed” policy enforcement that first-generation firewalls provide.

Benefits of iPSThe primary driver for network IPS remains protecting the enterprise from network-based attacks that tar-get system and software vulnerabili-ties. The primary placement point is at the internet edge, with secondary placements in branch offices, the datacentre and, less often, the inter-nal network.

IPS is used as a “pre-patch shield” to provide positive protection from attacks seeking to exploit known vul-nerabilities until patches have been deployed and verified. Most sup-pliers issue vulnerability-facing IPS signatures within 24 hours of patch release, which is invariably faster than an enterprise’s ability to patch systems in a measured manner.

The reality is that not all vulner-able systems are patched, or new vulnerable systems join the network, and attackers continue to try to

exploit vulnerabilities for which patches have long been available. For this reason, IPS signatures never really go away, and the ability of IPS products to maintain data throughput with large signature lists is critical.

The nature of the most damaging attacks on businesses continues to evolve. Financially motivated attacks do not simply go after unpatched PCs and servers; they are increasingly using targeted malware that does not seek to exploit vulnerable soft-ware. These targeted attacks – such as botnet-based attacks – use social

engineering techniques to trick users into installing malicious software and then exploit systems from within the perimeter.

changing threatDealing with this changing threat requires more than simple, signature-based detection. IPS suppliers have not made major advances in detect-ing and blocking these advanced attacks, sometimes called “arbitrary malware”. The challenge in combat-ing arbitrary malware is in better han-dling the “grey list”, or suspicious traffic that is neither known good (whitelist) nor known bad (blacklist).

There have been some increases in zero-day attacks, which take advan-tage of computer security holes with, as yet, no fixes. Approaches to deal with zero-day vulnerabilities are less controversial lately, but their value must be kept in perspective because they are considered in few product selections.

The market for separate network IPS and firewall devices grew at 11.7% in 2008, although the rate of growth is flattening to half that seen in 2007. The absence of innovation by firewall suppliers in producing next-generation firewalls that include full IPS capabilities has produced upward pressure on the growth rate, while the increased market penetra-tion of IPS is a larger downward pres-sure on the growth rate.

The economic downturn had some impact on IPS sales as many enter-prises postponed refresh decisions. But a greater factor behind the slow-down in market growth is the lack of innovation by IPS suppliers in addressing new high-visibility threats.

Gartner observed an increase in US government purchases in the last quarter of 2008, tied to spending on the Comprehensive National Cyber-security Initiative deployment of intrusion detection at federal agency internet connections.

IPS signatures never really go away, and the ability of IPS products to maintain data throughput with large signature lists is critical

network security

>>

tom

-b/W

ikim

ed

ia

BirTh of A BoTneT: The cASe for iPS

Trojan is sent to corporate network, user opens file

Virus infects devices on the network, creating a botnet

Trojan writer sells botnet to criminals

Botnet is used for sending spam or denial of service attack


8

buyer’s guide

In the past 12 months, many sup-pliers have introduced 10gbps IPS products. Sales of these products remain niche, and 10+gbps models more often act instead as “growth insurance” for customers purchasing lower-throughput models. That is, they want assurance that should their needs change, there are higher-end models they can step into.

Signature qualityWhen enterprises compare products, signature quality remains the most weighted and competitive factor on shortlists. Most suppliers employ some form of external vulnerability research as an input to signature creation.

There is a widening gap in signa-ture quality among suppliers. The staff and investments that leading IPS suppliers have assigned to sig-nature research are generally greater than the competition. There are no shortcuts to signature quality, and vulnerability and malware research will continue to shape the market into tiers.

Customers seeking best-of-breed protection will shortlist based on high protection quality, which includes signature quality, as well as capabilities for detecting and

stopping new threats. Those seeking “good enough” protection as a result of, for example, not having resources or the security profile to be able to enable new signatures quickly, will seek out the second tier of signature-quality products.

Investment in purpose-built hard-ware will continue to buoy perform-ance under the immutable inspection pressure of new signatures being added to address new vulnerabilities, and older signatures staying in place to guard against older, yet still potent, attacks. Some suppliers have already “blinked” in the face of this competi-tive pressure and are vague about inspection throughput.

Suppliers to avoidEnterprises are advised to avoid any supplier that does not provide third-party demonstration of appliance throughput rates with inspection enabled.

The creation of custom signatures by users is increasing slightly, although it is in place in less than 20% of deployments, mostly for custom applications or unusual pro-tocols. Most of these enterprises seek assistance from their IPS suppliers in creating or troubleshooting these signatures.

Increasingly, selections will include correlation of alerts, includ-ing those from other safeguards, within the IPS itself. The use of source “reputation” inputs as part of the IPS blocking decision process will play an growing role. As part of this enterprise requirement to reduce the grey list, IPS events can be valu-able in building confidence in the risk of other events, or vice versa.

Most suppliers include in their base pricing bypass unit modules which enable fail-open for copper ports, with bypass units for optical ports at an additional charge.

Recently, IPS purchases by Gartner customers have been from enterprises where there is neither an incumbent IPS nor IDS. These enter-prises face the hurdle that deploying IPS is a new task for personnel, unlike migrations from IDS, where a task is replaced.

Infrastructure buying metrics such as port density, cost/port and physi-cal appliance size are not generally seen as IPS selection criteria in enterprises. Rather, ease of deploying in-line and ease of administration are key criteria.

new capabilitiesMost IPS products have rate-limiting capabilities. Some also have quality of service (QoS) that goes beyond respecting the external QoS tags and can prioritise bandwidth based on security criteria or protocol type.

IPS operating as a post-connect network access control (NAC) enforcement point remains niche, mostly because most NAC imple-

mentations have yet to enable enforcement.

Data loss prevention (DLP) in IPS also remains a niche requirement, as DLP is not a good fit for in-line IPS blocking. Only DLP suppliers that also have IPS products are likely to have some correlative or other inter-action. Most DLP in IPS is limited to searching on credit card and social security numbers, bringing a high false-positive rate not seen in true DLP products. ■

Avoid any supplier that does not provide third-party demonstration of appliance throughput rates with inspection enabled

this article is an excerpt from The Gartner Magic Quadrant for Network Intrusion Prevention by greg Young, research vice-president, and john Pescatore, vice-president and research fellow at gartner research.

more onlineHow to tackle Enterprise Information Protection & Control


Report: Architecture for deperimeterisation of IT security


Opinion: Making a business case for network security


Information security – how to close the communication gap


<<





9

buyer’s guide

A business case for network securityPenalties of up to £500,000 for breaching Data Protection Act could increase business value of security, says Bob Tarzey

Governments giving regula-tors the power to levy ever greater fines on organisations that fall

short of requirements may not seem to be much cause for celebration. But UK-based IT security managers might find a silver lining in the Information Commissioners Office’s (ICO) newly granted powers to impose penalties of up to £500,000 for breaches of the Data Protection Act. It all comes down to the value proposition.

A total value proposition (TVP) should offset the cost of an invest-ment by taking into account three factors – reduced business risk, reduced business cost and added business value. For an IT security manager trying to justify a given investment, the ICO’s new powers add weight to one part of the equation.

The problem for IT security man-agers is identifying what technology will best provide the additional pro-tection that this new regulatory power motivates. The ICO is focused on the protection of personally iden-tifiable information (PII) and this underlines the growing need to focus on protecting data itself rather than the network edge that has in the past been considered one of the most vul-nerable points of an organisation’s IT infrastructure.

This is not to suggest that network security is no longer needed. Attacks on networks, such as hacking, denial of service, SQL injection, will continue. But, as Quocirca research shows (see graph below), confidence

in the security of networks is reasonably high and many businesses have already mitigated these risks through the implementation of firewalls that allow or deny access to a network and intrusion detection/prevention systems that recognise and block malware attacks.

As many surveys point out, the biggest threat to corporate data comes from employee error or poor business processes, rather than network-based attacks. The most sought-after type of data is PII in the form of credit card information (see graph right), which often ends up in the public domain through these lapses.

To prevent the leakage of informa-tion, businesses must take better care of it, ensuring that they can recognise sensitive information, whether held in existing documents or created on the fly. It is then necessary to estab-lish a link between people and data to enforce policies about what indi-viduals can and cannot do with that information. Allowing the safe use of data, at rest or on the move, is the value part of the TVP.

Protecting PII requires three types of technology: data loss prevention (DLP), encryption, and end-point protection.

DLP protects the data used and cre-ated within an organisation and shared externally. The technology can recognise if data has already been labelled as sensitive or should be considered as such.

DLP tools have the capability to search and classify existing data. They also enable the definition of policy about who can do what with a type of data, for example: all credit card information must be encrypted for transmission; people in the finance department cannot e-mail spreadsheets externally; this docu-

ment cannot be copied to a mobile device.

Encryption is already widely used, but could be more so, especially to protect data at rest on end points – the laptops, smartphones and USB sticks that make employees more productive, but are often left in taxis and on trains. This is the most com-mon way in which data leaks into the public domain through loss or theft.

In the UK, being able to demon-strate to the ICO that a stolen laptop was protected through full-disc encryption should be the difference between a large fine and no fine.

It is one thing encrypting data on user devices, but to remain produc-tive employees need to decrypt it and get on with their job. The third tech-nology – end-point protection – extends DLP to user devices, dictat-ing what can and cannot be done with given types of data on them.

There are plenty of good reasons to protect PII, other than the worry about fines, and the technology rec-ommended here provides plenty of benefits, other than protecting PII. When looking at a TVP for a security investment, fines and loss of reputa-

Data loss prevention protects the information used and created within an organisation and shared externally

network security

more onlineCloud Security Issues: How to navigate the cloud securely


News: Cracked GSM security code could force upgrades


In-depth: Network security consolidation not only about cost


Opinion: Get a complete view of your network



Most common causes of loss

Types of data compromised

Source: Symantec Risk Assessment Findings 2008 Source: 7Safe UK Security Breach Report 2010

Employee oversightPoor business processManager approvedMaliciousOther

Payment card informationSensitive company dataIntellectual propertyNon-payment card information

bob tarzey is an analyst at Quocirca

Confidence in data access control

Source: Quocirca

Scale from 1 (not confident) to 5 (very confident)

Being transmitted

Stored externally

On portable PCs

On USB devices

On mobiles

2.9 3.1 3.3 3.5

tion are becoming an ever bigger part of the price for lapses, but there is great value in sharing data safely if the risk of the wrong data getting into the wrong hands can be mitigated. ■





buyer’s guide

10

New tools for a new type of threatMark Ballard reports on two products that use intelligence and resilience to hunt down intruders on the network

Polymorphic malware is on the rise – Panda Security identified 25 million new strains of malware in 2009.

The permeable nature of perimeter network defences is now so widely recognised that even the US military admits it cannot secure its networks.

This admission of inadequacy has accompanied the emergence of networking companies that claim to address the challenge. But even con-ventional perimeter defenders have begun echoing the warning as they introduce solutions to the problem.

“We need to rethink the ‘guards, gates and guns’ approach to network protection,” Greg Day, McAfee’s direc-tor of security strategy, told a meeting of military defence analysts in March.

Since intruders are getting in, security suppliers are turning away from the perimeter and looking at the network to hunt them down.

In practice this means more sophisticated system scans, because polymorphic intruders do not adhere to threat signatures. It also means sharing threat intelligence and more stringent defence testing. In short, bet-ter intelligence and more resilience. Below we describe two relatively new products that aim to tackle the new threat landscape in network security.

Breaking PointBreaking Point introduced its Elite device in 2007 on the premise that networks were not resilient because they were not stress-tested sufficiently.

The product delivers simulated malicious and benign application traf-fic at speeds of up to 20gbps per Elite blade. Network and security suppliers such as Enterasys, Juniper, NetQos, and Stonesoft have begun using Elite to put products through their paces before they release them to market.

Elite has also been deployed by banks to test high-volume, high-risk customer systems. Dennis Cox, chief technology officer and co-founder of Breaking Point, says an online retail-er might use Elite to test the search function on its website.

The device would ensure the search works even at peak times when, say, the bank’s servers were overloaded with encrypted credit card orders, and hordes of intrusion attempts were meanwhile being made on its network.

Other high-volume scenarios might involve a few million people visiting a website, or 1,000 pub-goers all trying to watch a football game on their mobiles at the same time.

The traffic itself consists of appli-cation-layer data, simulating 90 application protocols and 4,200 belligerents, including viruses, botnets and distributed denial of service attacks. Each blade can simu-late 15 million simultaneous TCP sessions – 1.5 million per second. Traffic is sculpted to simulate various spreads of users: good, bad, house-wives, office workers, using Black-berries or laptops, sending e-mails

or watching television, even with specific meta data and actions.

The software engine rests partly on a Netlogic XLR network processor of the sort used for the interception of network backbones by governments. Elite reverses its usual function, so it generates traffic instead of listening to it. The magic ingredient is the chip that sits alongside the XLR. It was designed by Breaking Point to gener-ate malicious traffic. Cox calls it the “antithesis of a network processor”.

netwitnessBefore NetWitness introduced its network listening device to the open market in 2007, the product had been used exclusively by government agencies. The company’s Decoder probes are now used in sensitive and wealthy sectors such as finance and transport to do near real-time analy-sis of network traffic at 1gbps. Probes are aggregated for fatter network pipes – up to 60gbps in one instance.

The technology’s application for computer security extends beyond recording everything that travels through a network. Eddie Schwartz, chief security officer at NetWitness, says its power comes from the traffic index it generates on the fly.

NetWitness Decoders index at least 100 items of meta data for each data stream and dump them locally with the actual traffic on stores up to 220Tbytes. They produce threat alerts by comparing traffic with aggregated threat reports and pre- defined rules such as sessions link-ing to competitors’ domains, or key-words used in internet relay chat.

Schwartz says he hooked up a Decoder for one customer (though no NetWitness customers will talk pub-licly) as a proof of concept and left it running overnight. By morning a leak of 65Mbytes had been exposed. It

had been leaking like that for 12 months.

The Decoder stores are collated for retrospective analysis on other NetWitness devices so threats can be flushed out when alerts come from other sources. A security operator might, for example, search for all users who had accessed websites in Leeds in a given period.

Drilling down further, the operator could find all Leeds sessions that involved the transfer of an ex-ecutable file. The files could be examined and the full session recre-ated either side of the incident so that the operator could see exactly what the user saw, what data was trans-ferred, from where, to where, and with what consequences. ■

McAfee: “We need to rethink the ‘guards, gates and guns’ approach to network protection”

network security

Stress test: Breaking Point’s Elite system


more onlineReport: Identity management and federated identity


Think print, think securitycomputerweekly.com/242361.htm

Jericho Forum: How to establish end-point security


Network security consolidation is not only about cost

computerweekly.com/Articles/2009/ 07/16/236921/Network-security-consolidation-is-not-only-about-cost.htm




www.computerweekly.com/Articles/2009/07/16/236921/Network-security-consolidation-is-not-only-about-cost.htm

Network security is being redefined to better block data...

Documents

Transcript of Network security is being redefined to better block data...