Attacks/Breaches
5/28/2013
05:31 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Signs Of A Shift To Intel-Driven Defense

Organizations such as AIG move away from operations-based to intelligence-driven security strategies, emerging technologies

The first two minutes of a cyberattack are crucial -- that's when the attacker sets up camp and downloads additional malware to dig in and establish a firm foothold in the victim organization's network. But traditional malware detection technologies typically can't keep up with that tight of a deadline, nor are the network and endpoint security systems in sync to catch it that quickly.

It's no wonder many organizations don't learn they've been breached for months or even years after the fact, as was revealed in Verizon's new Data Breach Investigations Report, with close to 70 percent finding out from a third party that they've been hit. Some security vendors are taking a different tack and making the endpoint -- the typical initial target -- better capable of quickly detecting and thwarting damage, such as bot infiltrations, stolen data, or widespread malware infections, amid the new reality that attacks today are basically inevitable.

The newly announced integration between Bit9's endpoint security software with FireEye's and Palo Alto Networks' threat detection products is the latest example of a shift toward making the endpoint a key piece of the defense. Palo Alto Networks struck a similar deal with Mandiant earlier this year, and CounterTack in February rolled out what it calls a honeypot for the endpoint for catching and gleaning intelligence from attacks on client machines.

Security experts say security has been a siloed operation for too long, and any interoperation or integration among various vendors' products can help -- such as sharing information between the network and endpoint security tools. Not only that, but most large organizations have been focused on putting out fires rather than really understanding what attackers are after.

"If you have these advanced network defense tools and they don't have their own play on the endpoint, nothing can identify the target," says Scott Crawford, managing research director, security and risk management, at Enterprise Management Associates. "Why not engage what you have on the endpoint?"

Bit9's new Connector tool for FireEye and Palo Alto was the result of pressure from large customers who have products from all three vendors and were looking for better integration among the tools and better intelligence on attack attempts against them.

Brian Hazzard, vice president of product management for Bit9, says the new Bit9 Connector for FireEye and for Palo Alto Networks lets Bit9 identify the machines infected with the malware that the FireEye and Palo Alto tools find. "The vision was to combine network security with endpoint defense to help our common customers combat these [threats]," Hazzard says.

[Most organizations today aren't investing in the same kind of visibility and control over their endpoint devices as they spend on network-based controls. See Gathering More Security Data From Your Endpoints.]

Attackers increasingly have benefited from, and ultimately capitalized on, the way endpoint and network security have traditionally operated separately. "The reality is that we have gotten to the point where both network-based defense and endpoint defense need to evolve together. One without the other creates a gap where things can sneak through," says Wade Williamson, senior security analyst with Palo Alto Networks. "If you have perfect visibility into the network, you still need to correlate with what is going on at the endpoint."

Palo Alto and Mandiant in February announced that Mandiant's new appliance-based Security Operations product and endpoint agents would be integrated with Palo Alto Networks' next-generation firewalls and WildFire malware prevention service. "We'll be picking up the indicators of compromise, such as what changes are in the registry, and what files are created," Williamson says of the deal with Mandiant.

AIG Traps Attackers
Meanwhile, large enterprises are gradually shifting gears from operational security mode to intelligence-based security. Take insurance giant AIG, which is running a small but soon-to-be-expanded deployment of CounterTack Scout endpoint honeypots in its U.S. data centers. Paul de Graaff, the former global CISO for AIG, says a year-and-a-half ago, the concept of an intelligence model for security was "a foreign concept" and intelligence was all about SIEM.

AIG was looking for better visibility into threats and wanted to employ a more intelligent security architecture. "We came out of the financial crisis, and the security side, we started centralizing and visualizing a lot of the IT infrastructure, and it became apparent there were things happening to AIG and we didn't have as much visibility as we wanted," de Graaff says. "It was not so much targeted stuff -- we saw a lot of generic [threats]," he says.

"We were very operations-focused, so we moved more toward an intelligence-focused [approach]," he says. "Having to convince the IT organization we needed to deal with this more ... was a big sell. On the business side, to actually have honeypots sitting in our environment attracting [attackers] was a big thing. We're interested in what they are after -- source code or claims system," for example, he says.

AIG now can analyze a malware sample that hits the endpoint and discern what the attackers are after, de Graaff says. "We make that decision very quickly. We try to fence them in so they can't exfiltrate," he says.

The key selling point is that that kind of intel helps the company better plan its technology investments based on risk, he says. So far, the main threats AIG has found with the CounterTack endpoint honeypot is attackers searching for customer information, he says. But like many other big companies, AIG eventually will be the target of cyberspies as well, he says.

"You can't stop attackers from getting in. Once they do get in, there are so many things they can do," says Neal Creighton, CEO at CounterTack. "The attacker does all of the initial beachhead work in the first 120 seconds," so stopping them within that time frame is ideal for mitigating the damage and preventing theft of data, he says.

CounterTack's approach is different from Bit9's in that it is more about studying the attacker's moves and analyzing it than blocking malware or other badness. "It's like having a camera over the attacker's shoulder," Creighton says. "We're not doing a lot of blocking ... we're taking data and shifting it to analysis. It's designed to watch the attacker."

Bit9's Connector analyzes the malware and also blocks it. In the case of its integration with Palo Alto Networks, for instance, Bit9 grabs any malware from an endpoint or server for Palo Alto to analyze and, if necessary, block.

"When FireEye or Palo Alto catch malware on the network, they generate alerts," Bit9's Hazzard says. "We'll automatically enforce policy ... and drive detonation based on what we see on the endpoint."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.