Establishing Digital Trust: Don't Sacrifice Security for Convenience
At last week's RSA Conference, dozens of network hardware, software, and service providers exhibited wares and announced security offerings. Internet-borne crime, cloud service delivery, and compliance concerns continue to push network security onto center stage, forcing vendors to peer higher into the protocol stack and drill deeper into packets for greater visibility and control. In this roundup, we highlight a few announcements and demos that caught our attention at RSA 2011.
Cisco: Borderless Security Through Context Awareness
RSA is large enough to draw network infrastructure heavy hitters, from Cisco to Juniper, IBM to HP. For example, Security Techonology VP Tom Gillis used his keynote to offer a glimpse into Cisco Systems' vision of the uber-connected future, where TrustSec-tagged traffic will enable appropriate handling, independent of location.
Dubbed SecureX, this framework represents an evolution of Cisco's "borderless networks" strategy which continues to rely on embedded security – based not only on packet/flow source/destination but now also this newly-added "context" (when and where available). The idea of context-aware policy enforcement sounds promising. But yet another proprietary solution that can really only reap benefits once traffic enters a homogeneous network seems, well, bounded.
McAfee: Pushing Anti-Malware into Silicon
During his keynote on driving security down the stack, McAfee CTO George Kurtz suggested reshaping defenses to better deal with contemporary threats. Kurtz told the audience that our protection models have to change. Being the sheep at the center of the herd is no longer enough to stop advanced persistent threats, he said.
Moreover, Kurtz warned that mobile and embedded devices are the new security frontier. "We literally ran out of IP4 addresses last week because there are so many of these devices out there now," he said. "Printers run embedded OS’s. Look at Stuxnet – those were air-gapped embedded systems. Ten million is the average number of lines of code in a modern automobile." To prove his point, Kurtz demonstrated a McAfee-crafted proof-of-concept trojan horse – an iPhone Flashlight app that surreptitiously connected to a command and control server to download Lua Code creating a remote control backdoor.
Countering such threats, said Kurtz, means migrating defenses from the application layer to the OS, from the OS to the hypervisor, and eventually into silicon. "Silicon [embedded security] would give us unprecedented visibility," said Kurtz. "If you can peer into the OS from below, you can see malware much easier." Kurtz also advocated white-listing on static systems like SCADA, medical devices, printers, smart meters, kiosks, and servers – reactive black-list signatures just can't keep up with the rising tide of malware, he argued.
Solera: Leveraging Integration to Reduce Time-to-Resolution
Back in the expo hall, we chatted with smaller vendors – many of whom specialize in just one or two segments of the overall network security market. For example, consider network forensics expert Solera Networks. Solera's line of DS Appliances hang from a network tap or span port, passively recording absolutely everything passing by (up to 10 Gbps) for later investigation and analysis. At RSA, we had a chance to watch the new Solera OS 5.0 in action.
Now in beta, slated for May release, OS 5.0 drills much deeper into recorded traffic, automatically classifying nearly 500 applications and over 5000 metadata attributes, indexed for rapid search and extraction. Using the DeepSee console, we quickly dialed into suspect flows, jumping right to Google Earth to visualize geographic relationships and readily eyeballing auto-reconstructed artifacts like PDF files and emails.
OS 5.0 also adds a Universal Connector plug-in to navigate right from security alerts generated by other-vendor products (e.g., firewalls, IPS, SIEM) into Solera-recorded details. In short, OS 5.0 should make forensic investigation faster and easier, speeding not only incident resolution, but spot-check verification of trusted traffic.
AppRiver: Combining Proxy Filters with DNS-Enforced Reputation
At RSA, we caught up with AppRiver CTO Joel Smith. This secure email and web cloud service provider recently announced an overhaul of their SecureSurf offering. "We designed SecureSurf to deal with web threats, but in our first pass we did it like everyone else – a full web proxy at the data center," said Smith. "But what we heard from customers was that approach was too intrusive, too slow – users felt it."
So AppRiver revamped SecureSurf to proxy only when needed, using DNS domain name blacklisting to fork suspect traffic to its data center proxy. "Our DNS look-up is fast and fully-transparent. We maintain our black-list using both internal sources [like AppRiver's spam filtering service] and third-party intelligence to avoid paradoxical blindness," said Smith. Admins can white-list domains, but SecureSurf stops end users from bypassing the service – for example, blocking URLs that contain IPs for black-listed domains.
Combining layered defenses is hardly novel. However, we found it refreshing to hear a provider not only acknowledge performance complaints, but respond by delivering a more transparent service that actually bolters overall security.
ForeScout: Counter-Acting the Mobile Onslaught
RSA also provided a chance to sit down with ForeScout CEO Gord Boyce and VP Scott Gordon. ForeScout specializes in Network Access Control (NAC), using CounterACT appliances to enforce policies that determine who can use a given network and specified set of resources, and under what conditions.
CounterACT 6.3.4 ups the ante by finger-printing unknown mobile devices – iPads, Androids – and mapping them onto access policies. "We can watch a domain login to associate an iPhone with an [authorized] employee. Or we can hijack its browser to force the user to complete guest login," said Gordon. "This is available today, and requires no prior knowledge of the device and no agent software."
This agent-less approach can deliver visibility into what and who can access a network. But ForeScout is now working on mobile agents to enable integrity checking – that is, Endpoint Compliance, which ForeScout offers for laptops. It will be interesting to see whether NAC vendors like ForeScout end up partnering with Mobile Device Managers which are now sinking their hooks into iOS and Android. We hope to see integration not duplication – laptops already run too many agents; smartphones can't afford that fate.
Fortinet: Behavioral Baselining to Backstop Firewall Rules
Over at Fortinet's booth, we met with VP Patrick Bedwell and Senior Security Strategist Derek Manky to discuss FortiOS 4.0 MR3 enhancements. This OS powers FortiGate network security appliances; this quarter's release adds active profiling, flow-based inspection, and a firewall-embedded WLAN controller.
Flow-based inspection gives Fortinet customers a middle-ground between stateful packet inspection speed and application proxy depth. For example, a customer looking to enforce DLP rules will be able to spot patterns in egress packet flows, without having to run affected apps through proxies. This alternative improves performance, said Manky, by using less memory and leveraging hardware acceleration.
Better yet, customers will now be more easily detect deviations from base-lined behavior, because 4.0 will automatically profile traffic. By proactively documenting normal connectivity, bandwidth, and app/web usage, appliances can establish the context needed to spot sudden changes. "For example, we'll be able to see an authorized user doing an authorized thing, but from an unusual endpoint location," said Manky. This might block botnet C&C communication that otherwise slips through open ports.
Stonesoft: Battling Advanced Evasion Techniques
Behavioral analysis and IPS are tricky technologies, constantly striving to balance not just performance, but false positives versus false negatives. To that end, Stonesoft chose RSA to announce it had discovered 124 Advanced Evasion Techniques (AETs). According to Product Marketing Director Matt McKinley, Stonesoft supplied AET packet captures to the Computer Emergency Response Team (CERT-FI), responsible for global vulnerability coordination effort.
"Most network IPS's are pretty good at spotting single evasions but we found that, if you mix multiple evasion techniques in the same packet, they get confused. We've tested all IPS products in Gartner's Magic Quadrant, and all are vulnerable to these Advanced Evasion Techniques," said McKinley. The deficiency appears to be in how security products attempt to normalize traffic for signature comparison and behavioral analysis.
"Some cases at least generated log entries [corresponding to AET receipt]. But others just got confused and let packets or fragments right through," he said. Affected vendors are still working on responses, but Stonesoft does not believe new signatures can defeat these AETs. "This really needs to be addressed by improvements in normalization. Particularly when deployed at the perimeter, maybe IPS needs to take a performance hit to optimize normalization," argued McKinley.
Ixia: Assessing Network and Cloud Vulnerabilities
Researchers that discover new vulnerabilities need powerful security test tools. While at RSA, we visited with IP network test system vendor Ixia to hear about their foray into very-large-scale network and cloud service vulnerability assessment.
Dubbed IxLoad-Attack, Ixia's newest product builds on roughly 6000 published vulnerabilities to generate malicious traffic at very high volumes to exploit security flaws. According to Senior Marketing Evangelist Dave Schneider, IxLoad-Attack uses stateful emulation to simulate not just individual exploits, but DDoS attacks on a city-scale, helping network equipment manufacturers and security product vendors to harden their wares.
However, traffic that enters or exits any cloud infrastructure – be that a large data center or a carrier's network – is increasingly encapsulated by secure tunnels. For example, IPsec is used extensively throughout 3G and LTE carrier networks; to harden such offerings, they must be subjected to simulated attacks in large numbers. To do so, IxLoad-Attack can be paired with IxLoad-IPsec, wrapping generated traffic inside IPsec or SSL/TLS wrappers as appropriate for a given test case. "Equipment manufacturers, service providers, and enterprises all need to test their solutions continuously to verify their security mechanisms are keeping pace with threats," said Schneider.
Lancope: Expanding Network Flow Visibility
Finally, we capped our RSA briefings by sitting down with Lancope Product Manager Joe Yeager to chat about StealthWatch 6.0. Lancope initially carved out a name in the Network Behavior Analysis (NBA) market, but then morphed into network performance through extensive use of NetFlow.
StealthWatch is a product suite that collects and analyzes flow data supplied NetFlow and sFlow-enabled network elements (e.g., routers, switches). From a security perspective, flow data can be used for forensic analysis, anomaly detection, or compliance auditing. Release 6.0 adds geographic awareness, identity awareness, and layer 7 awareness to flow-based behavioral analytics.
"Consumerization changes what you need to monitor for," said Yeager. "Today, you need to visualize what's happening inside your network, not just at the perimeter. [With 6.0], we can use relational flow maps to visualize data flows and relationships between sources and destinations – including application-specific buckets that drill down to see what composes a flow in real-time. For identity awareness, we can watch login/logoff traffic to map flows to ActiveDirectory user names." In short, these enhancements pull NetFlow up a notch, helping to answer those "who" and "what" questions that so often lie behind a security incident or unexpected bandwidth spike.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. A 29-year industry veteran, Lisa enjoys helping companies large and small to assess, mitigate, and prevent Internet security threats through sound policies, effective technologies, best practices, and user education.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.