Threats lurk within networks, endpoints or devices, often hidden in poorly configured settings or permissions, ineffective data governance, access management and usage policies. These unseen threats come from all perimeters of the organisation and major trends such as BYOD, big data, cloud, and mobile apps have increased the challenge faced by IT leaders.
According to a February 2013 report by industry research firm Ponemon Institute¹ data breaches have increased in both severity (54 percent) and frequency (52 percent) in the past two years. On average, it takes about 80 days for a data breach to be discovered and another four months for it to be resolved. Worryingly one-third of all data breaches were never caught by the installed security software and hardware suggesting the need for a deeper level of network security.
Firewalls and intrusion prevention systems (IPS) are now standard elements of a company’s network security architecture but many may give businesses a misplaced peace of mind. Next-generation firewalls have revolutionised security but they come in many guises and CIOs need to ask some searching questions.
To address the increasing threat businesses are facing today it is important that an organisation’s network security is able to detect anti-evasion techniques and has the ability to scan all traffic regardless of port or protocol, including SSL encrypted traffic. A robust solution will also have access to a cloud database of malware variants that is continually updated.
All intrusion prevention systems are designed to prevent known attack traffic patterns from penetrating systems on the network. But there is an inherent problem with the technology, since it can only block the attacks it sees and is already familiar with. Disguised code is a major problem and it is possible to trick the traditional IPS inspection engines into passing the traffic.
There are hundreds of types of encoding methods in use today, and new ones pop up regularly as attackers craft new evasions that can’t be detected by a traditional IPS. Complicating matters further, cyber-criminals also blend and mix the different techniques. Chaining them by using more than one evasion at a time makes it even more difficult for the IPS to uncover and block malicious traffic. There are about 200 known evasion techniques that are recognised by IPS, according to Andrew Blyth, a professor on the faculty of Computing, Engineering and Science at the University of South Wales in an interview with Engineering and Technology magazine. When they’re chained together, they combine to create millions of unique evasions.
Businesses can achieve a deeper level of network security by adopting an IPS which uses anti-evasion, data-normalising techniques to uncover and block advanced evasion and obfuscation techniques before they can make it onto the network. This capability is critical to an effective IPS, since evasions that aren’t decoded and detected effectively render the IPS useless.
Although many vendors claim to have solutions to the evasion techniques that cybercriminals are using, choosing the right technology can be a challenge. Sometimes claims are just that — claims — and the IT department figures out too late that the security product they just bought doesn’t protect against new threats and evasion techniques. When picking security technology, be sure to look for products which are third-party certified to be capable of blocking a wide variety of attacks. In particular, solutions that have demonstrated resistance to evasion methodologies.
A final but important consideration for achieving a deeper level of network security is the importance of scanning both inbound and outbound traffic, regardless of the ports and protocols. This is often overlooked with traditional IPS solutions focusing only on what’s coming in from the outside. This is a serious chink in your amour as it leaves companies vulnerable to attacks coming from other parts of your network. Scanning ingress traffic is great for keeping the bad guys from breaking into your network but what if they are already inside either physically or because you have compromised systems inside your network?
Today, organisations can get best-of-breed firewalls and best-in-class intrusion prevention systems without the need to manage separate appliances, GUIs and deployments. Consolidated solutions offer higher security, easier management thanks to fewer consoles and consolidated security data, lower TCO and more flexible deployment options. Just be sure that the network security solution you have opted for goes deep enough and scans traffic from inside as well as outside of your organisation.
Dell’s SonicWALL SuperMassive E10800 SonicOS 6.0 achieved a 100 percent score two years in a row in NSS Labs’ testing for resistance to a variety of known evasion techniques, including IP fragmentation, TCP stream segmentation, RPC fragmentation, URL obfuscation, HTML Evasion and FTP evasion. “Not only were the fragmented and obfuscated attacks blocked successfully, but all of them were also decoded accurately,” according to NSS Labs³. ”
There are added pressures on security systems and IT departments during the Christmas season so opting for a solution which offers a deeper level of network security will stand businesses in good stead during this period, as well as throughout the year. Add to this a threat intelligence service that will analyse data from across thousands of global networks to identify new threats and develop countermeasures, will offer additional peace of mind.