|
Future Blended Threats
|
By Simon Heron
[Hits: 20349]
|
|
On the face of it, the IT community is blessed with acompetitive, customer focused and responsive anti-malwareindustry offering 24 hour operations centres, updates andpatches to quickly block any new viruses or attacks. And evenaccepting that handling these patches in-house can be a bit of anightmare for customers you can nonetheless say that this worksreasonably well - can't you?
There is a problem with this view, and it stems from thetendency to put security protection into neat littlecompartments. Anti-virus updated - check - spyware protection inplace - check - and when all the boxes are ticked you can relaxand feel protected.
Except that threats don't always fit so neatly into well-definedpackages. Blended threats are increasingly common, and need aholistic approach to block effectively. Blended threats usenumerous ways of spreading, whether it's email, SQL, Netbios orwhatever, and it requires a blended defence to stop them.
One of the more uncomfortable facts that we, as an industry,need to face is that the revenues being generated from'compartmentalised' anti-malware applications can amount to apowerful vested interest- Vendors are frequently providingprotection solutions against single threats or multiplesolutions against multiple threats, and implying that customersare safe, when the real story is more complex.
In particular, the difference between viruses and spam growsever smaller. Should phishing be classified as spam or as avirus? Is an email with links to offensive porn just spam, orshould it be handled by your content filtering protection beforeit even gets to the user?
We've also seen virus writers using spamming techniques to speedthe delivery of their viruses, and viruses used to create"zombie" PCs to help in spam distribution. The crux of thematter is that we don't want spam or viruses. If anti-virus andanti-spam protection is separated, some viruses and spam willfall between the two.
A well-configured firewall and up-to-date anti-virus protectioncan deal with many threats. However, if you have a service thatyou need to have open, such as HTTP, SQL or VoIP, then thefirewall cannot work effectively, as this traffic must be letthrough.
In this case, the firewall and anti-virus are not enough. Younow need to tie in intrusion detection/prevention (IDP) toprevent exploits like SQHell.
If you are running virtual private networks (VPNs), they need tobe restricted and scanned in the same way that a physical portshould be scanned and restricted. This means that VPNs should beintegrated with a firewall, IDP, anti-spam and anti-virus.
As well as coping with these blended threats, by linkingtogether different aspects of security, the overall performancecan be improved. For example, anti-spam protection works betterif it has access to a database of suspect URLs that it canfilter for. By tying the anti-spam engine to a content filteringdatabase like SurfControl, its effectiveness can be enhanced.
Another headache for security firms has been the port hoppingcapability of peer-to-peer applications like Kazaa. If you blockthe port that Kazaa is using, it can simply move to use anotherport. In practice, this makes it very difficult to stop bysimply blocking ports.
On more sophisticated appliances, intrusion detectioncapabilities can specifically block peer-to-peer applications.But even without this capability, an intelligent use of aquality of service (QoS) capability as part of your networkdefences can provide an answer to the port-hopping problem.Instead of blocking Kazaa all together, which it would recogniseand port hop to bypass, the QoS can reduce the throughput tosuch a low level that the user no longer wants to use thepeer-to-peer application - without triggering port hopping.
Finally, it's important not to overlook the fact that someonehas to work out which anti-malware tools are best placed tocounter the latest blended threat and to manage all of yoursecurity protection. By bringing together all the loggingfacilities of your firewall, IDP, email, content filtering andso on, reporting is clearer and fault finding is easier andquicker. It is also quicker and easier for signatures anddefences to be updated and monitored.
So, if a unified approach to protection is the answer, how canthis be implemented? It almost goes without saying that the bestplace to put this protection is at the network gateway -blocking threats before they get onto the network provides themost reliable solution. That's not to say there is not anon-going role for protection at the desktop and sever level, butit is to say that, for most networks, protection at this levelshould be the secondary and not primarily layer of defence.
Several vendors are now offering threat protection appliancesthat can provide the essentials of anti-virus, anti-spam,content filtering, IDP and VPN. The market has now matured tothe point where such appliances can provide the same level ofprotection as stand-alone security components, withoutcompromising on any particular aspect.
|
|
|
|
