Security Intelligence Enters the Mainstream

By | November 19, 2012

Posted in: Network Security Trends

If you spend any time with the top banks and defense contractors you will have noticed a dramatic change in their approach to defending their networks from intrusions. Traditional security operations of vulnerability management, configuration management, and policy exceptions are being beefed up dramatically. New teams are being formed to counter the onslaught of highly targeted and sophisticated attacks.

My first inkling that something was changing was the job postings for malware researchers at banks. That was two years ago. Today, most cutting edge IT security departments have several malware researchers. Why? Because malware is being written just for them and their anti-virus products will never have signatures for these custom attacks.

In addition to dissecting malware these new teams are engaged in security intelligence gathering. This involves studying the methodologies, tools, and delivery methods used by their adversaries. Even the acknowledgement that they have adversaries is new. This collected intelligence, called key indicators, is correlated so that separate attack campaigns can be identified. If a particular threat actor is after something they will not stop just because their first attempt was thwarted. They modify their tools, switch which employee they are targeting, change the domain they attack fro,  and up their game.

A few of the major security vendors have recognized this trend and are starting to incorporate security intelligence into their products. FireEye deserves recognition for being one of the first. While their advanced malware protection, essentially an in-line sandbox that executes suspect code, was a first, they did not start to gain momentum until they introduced beaconing detection. Beaconing detection is the act of identifying the communication between an internal compromised host and its command and control server.

Trend Micro has been relatively quiet about the development of their Custom Defense product line. Their advanced sandbox technology, Deep Discovery, is available as an out-of-band gateway device (Deep Discovery Inspector) to scan all incoming traffic and a stand alone server (Deep Discovery Analyzer) to accept suspicious executables from email gateways and other sources. Unlike FireEye, Deep Discovery can host multiple, custom, versions of operating systems and application configurations.

It extracts actionable intelligence from malware and informs the other components of Custom Defense. Hostile IP addresses and URLs can thus be blocked. Custom Defense is integrated with Trend Micro’s Smart Protection Network (SPN) thus leveraging and contributing to intelligence from millions of sources. Leveraging a large install base is going to be one of the requirements for intelligence tools.

The security platform vendors are demonstrating their quick reaction times to changing market requirements. Two of them have introduced security intelligence components in recent weeks.

Sourcefire announced their Advanced Malware Protection capability this past week which leverages what they call their collective security intelligence cloud. They use millions of fingerprints (hashes) of files to provide realtime inspection of executables at the gateway. They also have the unique ability to perform retroactive protection. If an unknown piece of code snuck past the defenses but is now known they can identify it on the hosts. Sourcefire also provides realtime feeds of known malicious hosts and command and control servers so beaconing can be blocked.

Fortinet, the largest security platform vendor, introduced several security intelligence features in its just announced FortiOS 5.0. including beaconing detection and in-line malware analysis.

Incorporating security intelligence is the latest trend in security products. So far they are making it easier to operationalize advanced defenses against targeted attacks.  The next step will be to introduce the classification of events into campaigns and beyond that associate the campaigns with known threat actors.

You May Also Be Interested In: