Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
3/16/2015
10:45 AM
Bradon Rogers
Bradon Rogers
Partner Perspectives
50%
50%

Endpoints, Gateways, and Networks: Teamwork Is Better Than Lone Rangers

Security vendors have a common goal when it comes to protecting their customers from danger. What's missing is a common language and protocols for how and what to share.

In police work, multiple witnesses, pieces of evidence, and investigating officers are better than a lone detective and a smoking gun. They bring different perspectives to the problem, comparing and analyzing elements and pursuing leads until the crime is solved.

Unfortunately, cybersecurity today seems more like a bunch of individual crime fighters or private investigators. Beat cops are checking for malware at the endpoints. Security guards are checking the comings and goings at each entrance and exit. Detectives are interrogating suspicious characters in the sandbox. Secret agents are gathering intelligence on potential threats. Thankfully, society’s law enforcement officials don’t work in silos; they actively share facts and ideas. However, in the cyberworld, a lack of orchestration is unfortunately the norm.

We have seen the silo effects of policing in the real world, and these groups are trying harder to work together. They have the benefit of common goals, shared language, and evolving protocols on how and what to share. We need the same thing in cybersecurity.

For example, when a suspicious email arrives, the firewall security guard can see the source IP and MAC addresses, but the endpoint cop only sees it as coming from the safe harbor of the internal mail server. If the email has a known malicious link, the email gateway can block it, but it should also be equipped to share that info with other controls such as the Web gateway to protect anyone from following that link, should they get it from another source.

I am certain that security vendors have a common goal when it comes to protecting their customers from danger. What’s missing is a common language and protocols for how and what to share. Intel Security has a remedy for this in the form of a real-time security Data Exchange Layer. DXL is built to deliver an architecture with a common communications framework that can connect to existing and future systems from Intel Security and, most importantly, to other systems in the ecosystem. DXL can be centralized or decentralized, as appropriate to the individual security functions and the network structure.

How DXL Works

With DXL, the combined system of security technologies is equipped to continually share intelligence for optimal protection. In our email example, when suspicious or malicious activity is detected, awareness of which endpoints have clicked the malicious email links helps identify those impacted hosts. This information allows the environment to automatically quarantine those hosts and perform in-depth inspection to identify the relevant components of the infection and any further potential impact. With this understanding, the environment rapidly corrects the impacted infrastructure by performing such actions as killing malicious processes, cleaning registry entries, removing malicious files, and killing connectivity to command-and-control infrastructure. This process contains the initially visible aspects of the event. Next, analysts can leverage various indicators found in these exercises to look for other affected systems that could result from lateral movement and persistence.

To facilitate this analysis, the environment queries the historic analytics repository for any other event artifacts. Any findings can be scoped and remediated, preferably using policies and scripts. Finally, with these new learnings, the environment continuously hunts going forward, looking for variants or related impacts. Pertinent newly found intelligence is ultimately shared with the rest of the organizational controls via DXL. This form of automated intelligence sharing and active defense rarely exists in most organizations, yet most will agree it is necessary in today’s cyberfight.

As our industry has evolved, some security vendors have developed proprietary systems that connect their own parts together. However the challenge is that these systems may not have all of the components you need, or worse yet, they deliver a false sense of security with great reports and tons of information, yet very little actual integration into the security fabric of the organization for delivering an active defense framework. These barriers can no longer be permitted to stand if we are to combat modern attack complexity with the velocity and accuracy needed to win the battle.

In law enforcement, catching and stopping criminals does not happen effectively in isolation, by one individual, one precinct, or one organization. Instead, disparate law enforcement organizations and entities work closely together to effectively thwart the most advanced of criminal activities. In the world of cybersecurity, we must rapidly evolve from the bankrupt isolated approaches of the past if we are to deliver on the active defense measures that are necessary against today’s adversaries.

Bradon Rogers is the Senior Vice President of Product and Solution Marketing at Intel Security, and is a 14 year veteran in the security space. In this role, Bradon is responsible for worldwide go-to-market of the Intel Security product portfolio. In his prior role at Intel ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...