Skip to content

Bit9

← Back to Blog
13 Sep 2011

HP Protect 2011: Evening the Odds

Harry Sverdlove

I’m at the HP Protect 2011 conference in Washington D.C. and there is a record number of attendees this year, up 60% from last year. While technologies such as adaptive application whitelisting provide the most effective defense on your endpoints, as Tom Reilly, VP and General Manager at HP, said in his key note address, “no one is 100% secure.” In addition to implementing security controls in your organization, you need actionable intelligence to continuously monitor and react to activity on your network. You need risk management tools to identify areas that are most vulnerable and/or most likely to be attacked.

Most of the sessions here are focused on how to use ArcSight to build correlation rules to detect anomalous and high risk activity, and how to incorporate network monitoring feeds (like IDS/IPS solutions), user activity and web application logs into the monitoring process. Given that most security operation centers (SOCs) handle tens to hundreds of millions of events per day, it’s a daunting task. Quite frankly, the odds are clearly in favor of the bad guys – it only takes one event to go unnoticed and your customer lists or corporate intellectual property could be stolen.

While there are some great advancements being made to network monitoring and analytics, focusing exclusively on the wire leaves a gaping hole in your security visibility. By definition, suspicious activity can only be detected on the network when an attack is “in motion,” such as an incoming port scan or an outbound connection made to a known command-and-control server or suspicious geographic location. Today’s threat actors know this and go through great pains to hide their activity in plain sight (piggybacking on common web traffic during peak hours) or lying dormant for months waiting for the right time to exfiltrate. Malware on portable devices and remote workstations can wait until the compromised system is off the main network, outside of the eyes of the security analyst, to make their outbound connections. In addition, detecting suspicious activity often requires knowing the IP addresses of the “bad” servers in advance – the same problem that antivirus vendors have trying to keep their malware signatures up to date, as malware morphs by the minute.

But there is hope. The gap in security visibility can be filled with real-time intelligence from an endpoint sensor. According to a recent study, 99 percent of enterprises have a serious gap in their IT security defenses. Most advanced threats today have to establish a foothold on some endpoint to initiate an attack, and that’s where application whitelisting comes in. The same technology that is used to prevent the execution of unauthorized code can also be used to report, in real time, all suspicious resource and file activity. In this sense, the whitelist is not just about what is allowed to run; it is a noise filter to report relevant events to the SOC.

To give you a very simple example: Consider a network event that reports an executable being transmitted over the wire. This event will be fired by your IDS or network monitoring solution when someone is trying to send malware into your network. Unfortunately, this event also fires whenever a user downloads a legitimate program, or Windows is updating itself, or a hundred other “normal” conditions. In most organizations, this event occurs hundreds of thousands of times every day. If you don’t have an endpoint sensor, you are left trying to sift through this deluge by looking for clues – maybe the target machine will subsequently connect to a known bad remote server, maybe an unauthorized login attempt will be made on the target machine; all of these things will only occur if the payload was malicious and actually begins executing, and you are forced to guess what a “bad” program might do that is worthy of trapping. With this limited view, finding the needle in the haystack is more art than it is science. But with a technology like Bit9’s adaptive application whitelisting running on your endpoints, you can make more effective determinations based on actionable data. Did the file actually arrive on the target system in question? If so, was it already approved or authorized? Most executable code floating on the wire is good, and the whitelist automatically filters this out when it arrives on the endpoint. Only if it’s unapproved will an audit event be generated, and correlating this with network activity gives you true visibility into which bits of code floating on the network actually establish foothold and are suspicious. This is just one very simple example of basic correlation. More advanced examples include monitoring the entry vector (e.g. did the file get installed by Microsoft Office, something highly suspicious in itself) and correlating with other events sources like your firewall.

I’ll be speaking at HP Protect later today about a pilot we ran at The Johns Hopkins University where we used this intelligence to filter millions of events a day down to a few dozen actionable security events. Tom Reilly is correct that improving security requires real time intelligence and risk assessment. Sometimes more really is less – by augmenting the information fed into the security console with endpoint activity, you can effectively filter the noise and balance your odds against the attacker that only needs one successful penetration to cause irreparable harm.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US