Cloud Security Services
Security in 2010
When looking back last year, the actual number of breach incidents doubled from 2009 to 2010. We watched attacks resulting in the Albert Gonzalez’ prosecution; saw some big application vulnerabilities of the year; and heard of increased mobility threats we now face as your enterprise community is attached at the hip to the latest and greatest mobile devices.
Conficker is probably one of the best examples of a malware outbreak that got caught up in the media hype machine. Starting as far back as late-2008, Conficker began taking advantage of vulnerabilities in Microsoft’s operating systems. Once it takes over an infected computer, it turns itself into a botnet army-making machine that can easily be controlled by its authors.
Another example of the whole “militarization” phenomenon was Stuxnet. It’s an excellent example of a piece of malware that has global ramifications given the intent and purpose of the malware itself — to shut down SCADA systems entirely. This wasn’t the first time we’ve seen a hacker try to knock out an industrial power plant.
I can’t help but mention the recent Google Android attack (even though it’s not 2010) with Google. More than 50 Android apps–credited to developers Kingmall2010, we20090202 and Myournet–reportedly contained the DroidDream malware, which seeks to gain root access to the user’s device, collecting a range of available data and downloading more malicious code to the smartphone without the consumer’s knowledge or consent.
At the last Risk Management Summit in 2010 in London, Gartner presented that the worldwide security software revenue was to surpass $16.5 billion in 2010, an 11.3 percent increase from 2009 revenue of $14.8 billion. This isn’t a bad market size or growth rate.
Below is IDC’s view of the Top 20 security players by security focus, who make up the bulk of this market:
When looking at the security market for the pockets of hyper-growth, the most interesting segment has to do with managing threats across endpoints, messaging, the network, and on the web. Other core (but slightly less interesting) security categories include “Identity and Access Management” (IAM), and “Security and Vulnerability Management” (SVM), as defined by the IDC team of security analysts, led by Christian Christiansen.
Advanced Persistent Threats
There’s a hot discussion going on within the threat management category around Advanced Persistent Threats (APTs). APTs are an extremely stealthy attack where in many cases an organization might be compromised and not know about it for several months. Once the APT breaks into a system, it is very sophisticated in what it does and how it works. Signature analysis will be ineffective in protecting against it. Advanced attacks are always changing, recompiling on the fly and utilizing encryption to avoid detection.
“Persistent” in the APT definition is the key differentiator. The traditional (or standard) attackers will break in, look around, and immediately target the most valuable found assets. They actually figure that the faster they get in and out with the treasure, the more money and the less risk they face. By contrast, APT attackers are there to stay as long as they can.
The APT attackers aren’t trying to steal everything at once. Instead, they exploit dozens to hundreds of computers (Enrique Salem, President and CEO of Symantec, said in his keynote at RSA 2011 that 75% of the attacks they saw in 2010 were targeted at 50 computers or less, or as he calls them “micro-distribution” attacks). APTs will involve logon accounts, and email users, with the attackers searching for new data and ideas over an extended period of months and years. Their interests (and keyword searches) change from one day to the next, as if their “customers” have given them a shopping list.
APTs are professionally run attacks, managed just like legitimate corporations. On the other end of the spectrum, individual APT hackers appear to boast different specialties, whether it’s compromising particular types of servers and workstations, dumping passwords, placing back doors, collecting data, or loading remote-access Trojans. Their malware creations have evidence of development team breakouts with development forks, beta testing, and updates.
Treasure taken by APTs is different from that of the traditional attacker as well. Traditional attackers seek immediate financial gain. They will try to steal identities, transfer money to foreign bank accounts, and more. APT attackers, on the other hand, almost always take only information and leave money untouched. Their targets are corporate and product secrets, whether it be F-18 guidance system information, contract pricing, or the specs on the latest green refrigerator.
Protecting Against APTs on the Endpoint or the Network?
A question that is often brought up by customers, vendors, and analysts is, “what security functions belong on the endpoint and what security functions belong on the network?” While the answer is not as cut and dry as a listing of security functions grouped into these two categories, there are some key items to consider when a company devises and implements its endpoint and network security architecture.
Anti-virus (AV) is, and has been, most commonly deployed first on the endpoint – a laptop, desktop, server, etc for the following reasons:
- The intense processing and buffering required (e.g. large documents) make it very hard, if not infeasible, to do this at very high rates on one networking device that aggregates many users’ traffic. On the other hand having it distributed and done in smaller chunks (i.e. performed by each laptop/desktop or server for each user or application’s specific content) is more feasible.
- When an employee takes their computer home or on the road, and surfs the Internet, no networking device in your corporate network is going to help you stop viruses/etc. from getting on that system. Instead – you have to rely on endpoint AV and then access control solutions to help when users come back onto the corporate network.
- Encryption – many connections to third-party sites are encrypted via HTTPS and hence the best and only option is to scan on the endpoint.
This does not mean AV on a networking device is not needed. For many companies it makes sense to front mail servers (especially given the store and forward nature of email) with a robust dedicated email gateway that performs AV in addition to anti-spam, etc. on a networking device (see AppRiver, a MSP providing email hosting and security services).
For branch offices where you allow split streaming you cannot control what devices are using your network (contractor, guests, etc.), embedding AV in the branch device and using an access control solution makes sense – given the potential for viruses entering the network and especially since AV scanning at the WAN connection speeds in a branch are very reasonable.
A case for both – The question of “network vs. endpoint security” also comes up when discussing remote access and LAN access solutions like SSL VPNs and Network Access Control (NAC). The key when choosing an access control solution is to allow for BOTH endpoint and real-time network security data (in addition to the “identity” and “location” of the end user) to affect the policy decision of “which users/roles get on my network, and with what level of access to applications/services”.
Juniper’s SSL VPN and UAC solutions which give customers – in an open standard way – the ability to check & evaluate the endpoint security state AND use real-time threat data from the network as retrieved from IPSs, firewalls, AV network devices, etc. to provision access for users. By allowing for both – whether you have host based IPS or network IPS (or both), whether the device is owned by an entity you do not control (partner, contractor, guest) or that you do (employee with fixed laptop image), and so on – companies can now use ALL security data from both endpoint AND network to make the correct access decisions.
Using the Cloud
The fastest growing method of deploying enterprise security is via the cloud – “Cloud Security Services” or “Security as a Service”. Many traditional security companies are simply adding new features to their existing offerings, or simply repositioning them to make a case that they are competing in the Cloud Security segment. Several providers are providing a turnkey suite of services which are all hosted. A few examples…
IPTrust – harvests, analyzes and classifies malware and botnet samples from over 5 million systems daily from around the world, to deliver the industry’s most accurate IP address reputation scoring.
Sourcefire’s Immunet – a secure centralized malware detection network that instantly connects users to the intelligent Immunet antimalware engines. All malware detection files and intelligence for blocking malware resides within the Immunet Cloud.
Zscaler – provides policy-based secure internet access for any employee, on any device, anywhere. Through pioneering innovations in its massively scalable cloud architecture, the Zscaler Security Cloud provides an ultra-low latency SaaS security solution that requires neither hardware nor software.
Webroot – email, Web and archiving internet security services for businesses, and antimalware, privacy and identity protection for consumers….all via the cloud.
Symantec Cloud – providing their protection products via the web, eliminating the need to manage hardware and software on site.
As shown by IDC below, SaaS-based (or Cloud-based) services have already exceeded many of the traditional hardware, on-premise software, or even virtual solution delivery models.
The reason cloud security services are compelling include:
- There are no client applications – meaning that you don’t have to tailor your solution for every endpoint device and you don’t have to burden having your users constantly update those end devices.
- The end device performance does not become a concern – no impact of having to run local security software
- You can apply a uniform policy across the entire organization – by having a single source of security services, all devices must abide by a controlled set of consistent policies
- A centralized reporting platform for IT and senior staff – you have a single view of the entire enterprise’s security state, which in many cases is half the battle.
- Zero latency in deployment – by having a global distribution network via cloud services, all of your organizations are covered quickly
By centralizing the security software, you guarantee consistency and real-time visibility and ultimately real-time action to any threats in your organization. The enterprise also benefits from having the latest in security with a hosted service which is up to date, not requiring each IT group across geographical locations to worry about what the latest detection/protection solution needs to be.