Double whammy

Ever-more sophisticated fraudsters and the expansion of cloud computing present a complex challenge to businesses. Tracking behaviour across the system could be the answer

The two biggest drivers behind the evolution of cybercrime are the growing sophistication and organisation of the criminals and the migration of computing into the cloud.

The former is typified by a criminal structure that mirrors legitimate commerce with freelance specialists, business organisers, markets and sales structures and which is capable of delivering subtle, complex, disguised and persistent attacks. Traditional security technologies, although still necessary, are no longer sufficient.

The latter is changing the nature of computing. Where once we stored data on our own servers, accessible solely via the desktop computers in our own offices, now we don’t even know where that data is stored. How do we protect something when we don’t know where it is nor who is able to access it? Traditional perimeter barrier defences will not work when there is no tangible perimeter.

Cyber scam or legitimate business?

We’re on the cusp of this new cloud computing; we are a mix of traditional and cloud, so we need technologies for both old and new. We still need the traditional barrier defences: anti-malware software and firewalls, and content scanners at the perimeter. But criminals have become expert at detecting new and unknown vulnerabilities that they can exploit and at getting under the radar of conventional defences.

And that’s the problem: if the perimeter barrier is breached, modern malware is adept at hiding itself inside the network. A new breed of technology is required, designed not simply to block at the perimeter, but to discover intruders on the network.

One solution is SIEM (security information and event management), a technology designed to collate, correlate and act on the information generated by otherwise disparate defences. Mel Shakir, chief technical officer at SIEM Company NitroSecurity, gives an example. “We work with a major life insurance company that had three separate departments independently monitoring their firewalls, database activity and applications,” he explains. “This made it difficult to see the big picture and determine which behaviours were symptoms of a larger threat. Now the security team has a single, integrated view via their NitroView SIEM, allowing quick detection and immediate reaction to new potential threats.”

But if a completely unknown attack is being used, traditional technologies have no way of recognising it: SIEM might give clues, but possibly not enough information.

Criminals have become expert at detecting new and unknown vulnerabilities that they can exploit and at getting under the radar of conventional defences

This has led to a new generation of products that detect anomalous behaviour rather than known malicious code. One such is FireEye. Founder and chief technical officer Ashar Aziz explains that his product “is able to discover, in real-time, malicious activity independent of whether it is coming from a known or unknown location on the web. And we’re able to provide very granular descriptors of that activity in terms of the protocols that are used to infect and the protocols that are used to communicate back to the cybercrime command and control servers.”

That sort of information not only pinpoints malware hitherto unknown, it allows it to be eliminated, and means law enforcement agencies can trace back and take out the source of the attack.

Another example comes from Guidance Software. Frank Coggrave, general manager of EMEA, explains the methodology: “We use various techniques to locate hidden malware. One is a whitelisting technique [only approved software is permitted to run]. We say ‘These are all the good things I know I should have’.

By scanning the network and seeing what shouldn’t be there, we can discover the bad things. Another method is to monitor the network traffic. If any particular node is doing more than it should, or is communicating via a port that it shouldn’t use, then we know there’s a problem.”

Some of the information comes from collaborating with other products, with specialist SIEMs and whitelisting products, and some they do themselves, he adds.

“But having recognised a problem and having pinned it to a particular machine, we then go into that machine underneath the operating system to find out what’s really going on. Zero-days [an attack exploiting weaknesses in a system no one knows about] have no hiding place. We know it’s there by anomalous behaviour and then we use deep forensic analysis to locate and eliminate the threat.”

But apart from new protection technologies for traditional computing, the shift to cloud computing and services is making companies rethink their security strategy.

Ed Macnair, head of user activity solutions company Overtis, believes that “if we can’t defend the data in the cloud, maybe we should take more effort to control the activity of people who can access that data”.

Another defence for data held in the cloud is encryption – it doesn’t matter who can access it if only authorised people can read it.

There are strong arguments for introducing these technologies into our cloud protections. But we should consider one further point. The security threats to the cloud are the same security threats we have always faced, just from a different perspective.

If user activity management and encryption are valid for cloud security, they are just as valid for traditional computing.

Kevin is a freelance writer and security blogger. He was the founder of ITsecurity.com.

Tags: ,