WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
How could you tell if someone had been acquitted of a crime or accused unjustly? What about people who had served their jail time and were no longer at large? And what about crimes where no one knew who was responsible? As a result, a sophisticated justice system evolved.
A similar thing is happening today in the enterprise. Anti-virus, long the cornerstone of security, has been struggling in recent years due primarily to an explosion in enterprise content.
"The Internet, messaging and the availability of web content have transformed the way employees conduct their everyday business activities," said Brian Burke, Research Manager at IDC's Security Management Group. "As a result, CIOs and IT management are increasingly looking for solutions to help enforce corporate policy, comply with privacy regulations, limit legal liability, increase employee productivity, and reduce network bandwidth consumption."
According to a study from IDC, the worldwide revenue for SCM software is forecast to increase to $6.2 billion in 2007 -- an 18.4% annual growth rate for the next five years. Eventually, this market will both encompass and dwarf the AV software market which currently boasts $1.67 billion in revenue.
The Melissa and ILoveYou attacks from a couple of yeas ago effectively changed the game. By opening an infected attachment, servers could be sabotaged and corporate networks compromised. As the number of viruses multiplied, AV vendors responded by issuing rapid updates to virus signatures. By then, however, the damage often was done.
AV, then, could be characterized as a reactive approach to security, much like wanted posters in the Wild West: Bad guy kills someone, wanted poster drawn up and distributed -- virus destroys files on thousands of corporate systems, new virus signature is posted and downloaded. Small comfort for the victims. And there is no guarantee that the same bad guy will come along with a mustache or different colored hair and strike again i.e. minor virus variants march right through existing defenses until the vendors discover the new strain and develop another batch of virus signatures.
The liabilities of AV-centric security were further exposed by a new wave of threats. No longer did a user have to open an attachment to expose the network. Now, infection takes place simply by being connected to a network. And to make matters worse, modern attacks take a blended approach -- they spread via email, downloads, Web page elements, and even shared folders.
"Recent network attacks, such as Code Red and Nimda, provide clear evidence that hackers and crackers are becoming much more sophisticated in their abilities," said Burke. "Blended threats are specifically designed to get past point-solution security products."
These days, attackers can covertly set up administrative accounts, overwrite files, export data, transmit viruses to other users in the address book, and overload email servers and networks by generating vast quantities of traffic. Klex and countless variants followed in 2003 by SoBig, Lirva, SQL Slammer and Yaha demonstrated just how effectively such threats can propagate within minutes. And watch out for the latest generation of destruction via viruses that utilize peer-to-peer networks, handhelds, cell phones and instant messaging.
This plethora of attack channels is akin to the guerilla tactics of the Apaches in the middle of the 19th century in response to the steady onslaught of European settlers heading west. A few scattered sheriffs, a couple of dispersed army units and well-armed frontier people struggled badly against well-disciplined Native American warriors. It took a full-fledged military campaign consisting on multiple elements and strategies to make large-scale population of the West possible.
Similarly, in the enterprise today, AV alone cannot deal with content security challenges such as blended virus threats, spam, adult content access, downloadable audio and video (which involve serious copyright liabilities), corporate confidentiality, and content code such as ActiveX and Java. The moronic Yes/No logic system employed in AV is inadequate in when exposed to sophisticated content.
For something as simple as email, for example, corporate AV products with built-in spam filters often block legitimate traffic. New clients in particular are typically labeled as spam or partners sending graphics files to the marketing department or PowerPoint presentations to PR.
Further, some purchasers and IT staff keep themselves on lists and receive large quantities of announcements and traffic from certain sources in order to keep on top of the latest developments and announcements in certain fields. Yet this traffic is typically labeled as spam.
When you factor in content code such as ActiveX and Java, AV-based products are on shaky ground. Many enterprise software systems utilized embedded active code for everyday b2b transactions. Embedded code is also used by some associations to grant members access to member-only portals. In such situations, you would have to call IT to change permissions to unblock such code.
Content, therefore, requires a new security approach and methods, one that both encompasses the strengths of existing AV technology and takes enterprise security to a higher plane.
"The best way to provide overall protection for a company's network is through an integrated approach utilizing layered security applications," said Burke. "As blended threats gain more harmful payloads, a layered approach will become even more critical."
While the established security leaders like Symantec and Network Associates appear to be making do with incremental add-ons to existing AV-based platforms, Computer Associates (CA) has adopted a different strategy, rebuilding its security platform around the SCM concept. As such, AV is but one element of a more comprehensive security platform.
The four pillars of SCM, then, are:
b) Email and content security
c) Web security
d) Malicious code
"Unlike AV where blocking is sufficient, content security requires a different thinking to address both business and security needs," said CA chief security strategist Ron Moritz.
Take email, for example. Instead of simplistic filters that block specific classes of traffic, smart filtering is required that uses multiple parameters to separate out valuable traffic from spam. Similarly with web security, what access should be permitted to enhance business productivity and what access should be blocked? Again, more intelligence is necessary in order to correctly label the office distractions from the sites offering value.
The need for smart filtering is quickly made apparent when you consider formats that tend to be less valuable such as MP3s. IT staff at Southern Wine and Spirits (SWS) of California, for example, needed to free up storage space and a brief search flagged a large amount of space absorbed by MP3s.
"We almost deleted a library of MP3s used by the marketing department in presentations," said Robert Madewell, director of networks at SWS. "We would have been in big trouble if we had just eliminated those files."
Unfortunately, many companies are not so lucky and delete or block a large amount of valid material. SCM tools help to correctly label business related content.
The first generation of SCM products are now beginning to appear on the market. Generally, they consist of the following features: Anti-virus; proactive identification to block only malicious code; smart filtering of spam and URLs; key word identification to safeguard against the transmission of proprietary and confidential information via email; and centralized management of all facets to bring simplicity to the task of security administration.
It remains to be seen, however, with SCM will eventually see an end to the Wild West days of enterprise security, or if the attackers will simply develop even more sophisticated ways of getting around organizational defenses.