– Scott Paly, co-founder and CEO for Global DataGuard (www.globaldataguard.com), says:
Throughout the first half of 2011, cyber criminals stunned the business community with unprecedented attacks on industries once thought impregnable. Despite a substantial increase in IT security spending this year – up 4.5 percent from 2010 according to a Morgan Stanley survey – spear-phishing campaigns, security flaws in SecureID tokens, and an increase in Advanced Persistent Threats (APT) have led to successfully executed attacks against companies like Sony, Citigroup, Lockheed Martin, Google, RSA and Epsilon, just to name a few. So, how are all of these breaches still possible?
The IT Security Challenge
The harsh reality is that many attacks can span hours, days, weeks and months because cybercriminals are intentionally spacing out reconnaissance activity to avoid detection. Since almost all security products do not retain and correlate suspicious traffic for more than a few minutes, they cannot detect a pending attack before a breach occurs.
Because most network security technology is reactive in nature and comprised of disparate applications and appliances, it’s virtually impossible to detect the reconnaissance activity leading up to a highly sophisticated “targeted-attack” against an organization’s assets or track low level activity over long periods of time inside the network that could indicate an APT. This tasks the corporate IT manager with the challenge of implementing a network security posture by cobbling together discrete security offerings. While these “best-of-breed” products focus on various critical aspects of network security, it leaves the IT department responsible for selecting, integrating, managing, monitoring and correlating discrete security events, alerts, logs and reports into actionable security threats.
Aside from the obvious “silo-effect” of deploying discrete security appliances, it’s important to note that most network security technology relies heavily on “signature detection” to identify malicious traffic. Since security appliances are only able to load a meager 5% (roughly 1500) of currently available signatures, this leaves IT managers guessing as to which signatures to load. It also leaves the network 95% exposed to well-known attack methods – regardless of analyst’s signature selection – and completely vulnerable to any new stealth attacks or persistent threats that have already bypassed these defenses.
Overcoming the ‘Silo’ Effect
So, how do IT managers proactively protect their networks against zero-day exploits, brute force attacks and APTs? An effective way is to deploy a behavioral-based unified security system that can adapt to evolving networks, track network resource traffic, and detect stealth, reconnaissance or previously unknown threats as well as other suspicious traffic that would indicate an APT.
Global DataGuard’s unified approach to security provides true subsystem integration of core security applications – network behavior analysis and correlation; intrusion detection and prevention; vulnerability scanning and management; log management, analysis and monitoring; network access and policy monitoring; and comprehensive threat management for prioritized network, global and vendor threats and vulnerabilities – within a multi-layered architecture that spans premise-based, cloud and hybrid network environments. Global DataGuard’s network behavior analysis and correlation capability can perform predictive analysis by retaining and correlating suspicious raw packet data for a rolling 14-30 days and signature alerts and behavioral profiles for six months or more to provide earlier warnings of security threats that other discrete products may not catch.
Further, Global DataGuard offers an enhanced Signature Selection feature that enables IT managers to automatically fine tune signatures within their unique network environment. Configurable through the company’s unified management console’s tools menu, the signature selection capability utilizes Global DataGuard’s vulnerability scanning system in conjunction with an intrusion detection and prevention system to automatically match signatures to vulnerabilities and then load IDS/IPS detection rules that specifically look for network attacks on customer resources that they may be vulnerable to.
Global DataGuard’s passive intrusion detection and prevention device hosts a signature intrusion detection engine and an intelligent packet inspection and capture system that can analyze raw network packet data, then select and transfer suspicious packets to the network behavior analysis and correlation system for further behavioral analysis. It monitors and provides protection for network and customer-defined threats, potentially suspicious employee activity, evidence of malware, infections, and security policy and compliance violations.
With the new signature selection feature, any customer using a Global DataGuard vulnerability scanner has the ability to load IDS/IPS detection rules that specifically look for network attacks on potentially vulnerable resources. When a network vulnerability scan occurs and vulnerabilities are found on any scanned system, those vulnerabilities are automatically matched to existing Common Vulnerabilities and Exposures-based (CVE) signature rule sets for those exploits and then loaded into the intrusion detection and prevention system. It can also exclude any given signature rule set, as needed, if it relates to activity that a customer’s application requires in order to function. What this means for an IT security team is the ability to efficiently load and unload signature rule sets for customization of each network that is monitored. The Global DataGuard unified security system provides IT managers and their staff with easier deployment and management of their company’s network security ecosystem, as well as greater efficiency in labor and detection ability, while offering lower acquisition costs than discrete security solutions from multiple vendors.