Embed Size (px)
Citation preview
FEATURE
January 2014 Network Security11
sion, URL, Layer 7 application, etc. There is no limit to what it can be used to export – and individual vendors decide what they want to share. Even syslogs and Microsoft event logs can be converted and exported as IPFIX. When the amount of flows is too voluminous for any single collector, distributed col-lection systems can be deployed. This is a push technology which means no poll-ing and less overhead for the collection architecture.
By pointing the flows from all of the routers, switches and even servers back to the flow collector(s), we obtain a cen-tral repository of all communications in every corner of the network. The flows are then passed through algorithms which baseline and profile behaviours in an effort to start building up the threat indexes for suspicious hosts. Even when distributed collectors are employed, all events are reflected in a single view.
Threat detection with flowsAlthough flows don’t contain the entire packet, they do contain the details necessary to detect many types of threats such as net-work scanning, receiving ICMP redirects, participating in a denial of service attack and dozens of other unwanted behaviours.
Some vendors use flow data to pro-file normal behaviours on the network. Subsequently, when a host communicates outside of its behaviour in the past, this too leads to an increase in its unique threat index. Flows can also be used to detect banned applications such as Skype and BitTorrent. And the list of ways to use flow data to detect abnormal traffic is growing.
Unfortunately, network security has evolved to the point where we’re living with threats on the network. Traditional methods of detecting them still work but, relying on anti-virus, firewalls or an IDS that per-
forms Deep Packet Inspection (DPI) and compares bit patterns to regularly updated malware libraries will not detect all threats. We have to focus on the loudest and most frequently reoccurring trouble makers, and to do this we need to leverage flow tech-nologies that build threat indexes based on a series of unwanted events.
The threat index approach to threat detection is not infallible. Malware can, and will, slip past it; but, combined with existing single event detection mechanisms, the corporate defences against unauthor-ised data exfiltration are vastly improved.
About the authorMichael Patterson is CEO of Plixer International (www.plixer.com), providers of Scrutinizer NetFlow-based network traf-fic monitoring and threat detection technol-ogy. He is a nationally recognised flow tech-nology expert and the author of ‘Unleashing the Power of NetFlow and IPFIX’.
Interview: Corey Nachreiner, WatchGuard – security visibility
The end of one year and the start of another has always been a time for predictions. Certainly, security ven-dors and pundits show little restraint in issuing proclamations of what the next 12 months holds in store for us all. Such soothsaying rarely rises above the obvious or mundane – much of it boils down to ‘more of the same’ – and in an industry where Fear, Uncertainty and Doubt (FUD) are standard marketing materials, it’s not surprising that security vendors tend towards doom and gloom in their pre-dictions.
However, among the flood of press releases and blog posts, one stood out. Corey Nachreiner, director of security strategy at WatchGuard Technologies, picked up on one potential development not mentioned by the others, perhaps because it offers a positive outlook.
Security pendulumNetwork Security (NS): You say that 2014 is going to be the year of security visibility. What do you mean by that?
Corey Nachreiner (CN): “Well, I think three things are going on in the
security industry right now, and I kind of agree with you – a lot of predictions, my predictions even, sound like doom and gloom. Really, information security is a pendulum that’s kind of swinging back and forth between the attack-ers winning and us winning. Over the last two years, I feel strongly that the pendulum was on the attackers’ side. They’ve been, for lack of better words, kicking our butts. I think some of the problem is, we’ve been kind of relying on security technologies to protect us against everything, but information security is more than just a techno-logical problem. It’s a user problem, it’s a human problem. As you know, I’m sure, there’s lots of ways advanced
Steve Mansfield-Devine, editor, Network Security
Do we really know what’s going on in our networks? There is plenty of infor-mation, not least in the logs, but making sense of it has always been a struggle. Perhaps 2014 is the year all that could change.
Steve Mansfield-Devine
FEATURE
12Network Security January 2014
attackers get in that may not have anything to do with flaws; it may have more to do with social engineering.
“When you have 20,000 logs being generated a day, how do you find that one important security event that might be an advanced attack coming into your network?”
“So there’s really three things going on. One, businesses are relying on old defences. They think a stateful packet firewall is going to block modern attacks, when really modern attacks are happening in the traffic we allow every day, mainly web traffic. A second issue is that they put a firewall, or a security appliance of some sort, or any security software into their network, and they kind of just put it there and forget it, thinking it’s protecting them, but they may not have configured it right. They may not be adjusting the policies for their business needs. In fact, Gartner says 95% of firewall breaches are due to misconfiguration. And a report I love to follow is from the Verizon risk team. They do an annual data breach report, and they too say, at this point, 98% of breaches were preventable by simple or intermediate controls, security things, that these organisations had, but just didn’t configure properly.
“I think that the real problem that IT and security people are suffering from is, they have these devices, they put them in and forget about them, and the devices are probably generating thousands and thousands of pages of logs. There’s really oceans of logs. If you look at your intru-sion prevention system, your firewall, your network routers … if your security device does authentication, anti-virus, there’s tons and tons of logs and detailed information there, but really that ocean of data is half the problem. When you have 20,000 logs being generated a day, how do you find that one important security event that might be an advanced attack coming into your network?
“So that is really why I think this year we’re going to see that people have decent security controls – if you have modern, unified threat management devices, or next-generation firewalls, or you have a combination of layers like intrusion prevention, anti-virus firewalls, URL reputation capabilities, command and control detection capa-bilities – if you have all this stuff, you have the right protection. The problem is getting it set up with the policies that will definitely protect you, and then being able to identify and respond to incidents as they happen. So that’s why, this year, we believe it’s going to be the year of security visibility, where you’re going to see the security industry put a lot of focus on creating visual tools that help you identify events.”
Visibility in actionNS: Can you give an example of how that might work in practice?
“It’s not until you have the visualisation tools, that you can find that thimbleful of useful information in all the oceans of data”
CN: “You might have a case where your IPS system is probably going off all day. There’s some pretty regular automated attacks that might hit your network every day. Those may not be that interesting to you, because these are attacks being blocked by your IPS,
and they’re just automated attacks, they’re kind of Internet background noise at this point. But if you sud-denly see a particular IPS trigger from a certain source, and right after that, you see a couple of AV triggers going off from that same source, and then, maybe 10 minutes later, you start to see a user trying to authenticate from the computer that was affected, and failing a couple of times, now that is an inci-dent. Now you realise this isn’t just an intrusion that has been blocked – this is some sort of incident happening in my network right now, and it’s not until you start to correlate all these different security controls that you can really start to find that.
“It’s not until you have the visualisa-tion tools, that you can find that thim-bleful of useful information in all the oceans of data. So I really think there’s a lot of great security tools out there, that can catch even the most advanced attacks nowadays. At this point, I think what we need is better analyt-ics in security, better tools to help us identify issues that our devices are probably finding every day, and start to do more than, just tell us about them – start to correlate some of those events, start to relate it to the users in our networks, so that we can go and proactively clean up.”
Wrong adviceNS: People have been talking forever about checking logs and configuring systems properly. Why do you think that’s suddenly going to happen in this coming year?
CN: “That’s a good question. I’ve been in the industry for 15 years, and you see the same problems happen over and over. It seems like you’re never going to be able to get people to do the best thing. But I will say, while we do tell people to look at their logs, I think looking at their logs is kind of the wrong advice. Maybe this is a general issue in security: we often give advice that’s too hard to do in the real world. So I’m going to digress a little bit … we often say, don’t worry about passwords. As long as you create this really long,
Corey Nachreiner, WatchGuard: “Information security is a pendulum that’s kind of swinging back and forth between the attackers winning and us winning.”
FEATURE
January 2014 Network Security13
random password, it’s never going to get cracked. So how practical is that, though? If you have a 20-character pass-word, that’s random characters, with caps – how are you going to remember that? So that’s a perfect example of good security best practice, that is kind of bad human advice, because it’s impractical.
“So telling people to look at oceans of logs to find data is bad advice. In the past we’ve just been giving them logs – and by logs, I mean these line-level, ‘it comes from this source to this IP’, detailed information about the packet. So that is the problem – looking at thousands of lines of logs is not going to help you. I think the SANS organ-isation recently did a survey on logging. What they found was, we’ve been tell-ing people you should log stuff, and the good news is, they found that 77% of businesses did turn on logging, so that’s kind of good. I wish it were 90% or higher, but 77% is a big percentage. But here’s the problem – when they then asked how many of those people actually looked at their logs on a regu-lar basis, that number dropped to 24%, so less than a quarter of people were actually paying attention to them. Then they asked the kicker question: of the people looking at their logs, how many feel confident that they can use logs to identify security incidents? And that dropped to 10%.
“You can’t make heads or tails of any of this data unless it’s delivered to you in a way that allows you to see immediately the important trends”
“I don’t think the problem is getting people to log, and maybe the problem’s not getting them to look at it. The prob-lem is, we’re delivering it in a way that’s not consumable by a human. So the key there is visibility, and by visibility I mean visualisation. Big data is a big technology industry trend right now. We are suffering under piles of big data, and security controls and security devices are part of that big data, delivering all kinds of interesting intelligence, but you can’t make heads or tails of any of this data unless it’s delivered to you in a way
that allows you to see immediately the important trends, or to see immediately the incident that kind of is different than the other incidents.
“At WatchGuard, when we talk about visibility as a defence, what you’re going to see is us delivering analytic tools for our logs in a different way. It’s going to be a heavy concentration on visualisa-tion. Rather than just a bunch of log lines, you’re going to see different kinds of graphs, different kinds of top trend reports, based on users, based on secu-rity events, and we’re going to use things like tree map views, which is a specific way to graph out data – a great way that kind of minimises 950 of the smaller pieces of information, and maximises the 50 top ones that you really want to pay attention to.
“So I think the difference this year is, it’s going to move from just log data to actual visualisation and analytic-type tools. We’ve just released something called WatchGuard Dimension, and this is a tool that’s designed to just do this.1 If you have our security appli-ance, for instance, it’s been logging data forever, and we’ve wanted people to look at the logs forever. But now, with WatchGuard Dimension, we take those logs and we visualise them in execu-tive summary reports, CSO reports – a bunch of different reports that help you quickly identify who’s the top band-width user, what applications are being used in your network, what security
incidents are rising to the top, and what particular attacks are affecting your net-work the most.
“So the key part of visibility is changing the model from just text log lines, to visualisation and analytics”
“You can pivot on this, for instance, if you see there’s a particular Java exploit that’s getting used against your network a lot, you can actually click on that, and then it will show you a pivot of what users are being affected by this exploit. I’ve done this before, and sometimes one user pops to the top. What that’s showing you is actionable security intel-ligence. If I suddenly see there’s one par-ticular exploit in my network that’s used the most, I know I’d better make sure to have that patch applied to all my users. If I then click on it, and I see there’s one user that’s really generating all the hits to that particular exploit, I then know I have some sort of problem that I can proactively go and fix. Either that user is doing something wrong – maybe she walked her kids’ laptop into the back door, whatever the case may be – it’s the fact that I can suddenly see that user rise to the top, rather than having to find this incident.
“That incident I just described has been hidden in your logs, but it was hid-den in hundreds of thousands of lines over many days of usage. So the key part
WatchGuard Dimension in use – in this case, drilling down to a single user.
FEATURE
14Network Security January 2014
of visibility, of your visibility, is chang-ing the model from just text log lines, to visualisation and analytics.”
Complicated environmentsNS: It’s all very well getting people to use the security they have properly, which is basically what you’re talking about, but is it that simple? Putting tools into people’s hands is all very well, but often they’re too busy or under too much pressure to use what they already have. Even where security budgets are rising, they’re often lagging behind the increasing size and complexity of the IT estate. Security professionals are spend-ing a lot of their time just trying to catch up. Now people are talking about the Internet of Things, and there’s IPV6 which may or may not see proper adoption –
“Unfortunately security is always kind of the red-headed stepchild, because it doesn’t directly make a business money, right?”
CN: “ – Yeah, maybe one day!”NS: The security people are getting
left behind by the pace at which things change, aren’t they?
CN: “Yeah, I definitely get that, depending on the organisation you’re dealing with. Most small to medium businesses do not have a security special-ist. It’s typically the one or two normal network IT infrastructure guys that are dealing with security too. With mid to large enterprises, those folks do tend to have more security specialists, maybe even a CISO. But in either case, the IT guys are definitely overwhelmed with fires they have to put out, and security is kind of an afterthought. I think that’s why they’re used to putting in security controls, whatever they may be, as fire and forget-type things – put them in, and forget about them. While, on the one hand, there are many security con-trols that work okay – if they’re config-ured properly they can keep chugging along for a long time – there’s really a lot of value they’re missing.
“I don’t know the full solution to this, but I can tell you that WatchGuard’s solution is to provide business intel-ligence that these IT admins are going to like to see every day. Our visibility tool doesn’t only tell you about security events, it tells you a whole lot about your network: who are your top band-width users? What are they doing on the network? What URL categories are people going to regularly? If you have a good visibility tool, if you have a tool that is showing you the right top events – maybe how much of your traffic is your critical e-commerce server, versus how much of your traffic is Johnny in tech support BitTorrenting some file – if you have that visibility, you’re actually going to want to visit that tool every day, because besides helping you find important security events, it’s also going to help you do your normal everyday ‘fire-fighting’ job. That’s because the fires they’re putting out are things like the four-in-the-morning call from the CEO saying that our customers are complaining that our e-commerce site is too slow – go fix it. Our tools can even help you troubleshoot that problem by maybe finding a user that happens to be sucking up your bandwidth, and as you find this stuff, it invites you to take action, and to actually change policy, and maybe put some sort of throttle on BitTorrent, or block it, or whatever your business policy ends up being.
“The cool thing about visibility tools is they can teach you what your business is doing. Things like, what applications are being used by your network, and by who”
“They’re doing many things. Security is just one of those things, and unfor-tunately security is always kind of the red-headed stepchild, because it doesn’t directly make a business money, right? And yet it is necessary for businesses to have if they want to continue making money, because if you do get popped or pwned you’re going to lose quite a bit of your money. But in any case, if we make security more useful, not just as a security tool, but to help identify business events too, I think it might
encourage administrators to look at the tools more regularly. I’ve found, just using our own visibility tool, I’m learn-ing all kinds of things.
“To give you an example, you might have heard of application control, which is one of the things many securi-ty tools now have. It’s not really directly a security functionality. Application control is the ability to recognise dif-ferent network applications, no mat-ter what ports or protocols they use. There’s lots of applications like Skype and Ultrasurf and Tor and Torrent, that are very sneaky at getting around fire-walls and old-school security applianc-es. So these application control features allow you to recognise different appli-cations and, besides recognising them, you can even recognise granular features of an application – like, for Facebook, you can recognise a Facebook view ver-sus a post, versus a game, etc. That’s an interesting new productivity or business tool.
“There’s different ways you can use that, but one of the problems with these new tools is, a normal business, if they suddenly have access to the ability to control applications, how do you know what to do? Does the average business know what their users are using every day? Some of it may be for business – for instance, Facebook is used heavily by marketing. Maybe they might see something like Tor, which is an ano-nymising network, but maybe it’s used for some valid purpose; or maybe they see Torrent, which some people associ-ate with pirated software, but maybe it’s an engineer using Torrent to download Linux ISOs. So the point is, how you use application control differs from busi-ness to business, depending on what your business is doing.
“The cool thing about visibility tools is they can teach you what your busi-ness is doing, if you have the right tools. Things like, what applications are being used by your network, and by who, pop up very quickly, very immediately. I think the only other challenge that these cool tools will offer people is, they’re suddenly going to see so much visibility into their network, that they might have to start talking to HR, and they won’t
FEATURE
January 2014 Network Security15
know how to handle certain things that you see pop up. The point I’m really trying to get to is, if you can provide them value, some sort of useful value, to help identify business incidents in their network as well, I think they’ll come back to the security tools every day, the visualisation tools, and besides seeing the business incidents, the security incidents are in the same place, so just naturally it will also help them become a more secure, or at least more aware, organisa-tion naturally.”
Internet of ThingsNS: Let’s come back to the Internet of Things. As I understand it, the Internet and things, to take off properly, has to be built on IPv6, because there aren’t enough addresses in IPv4?
CN: “Well, they’ve been playing with NAT forever. I guess ISPs on mobiles can do their own internal levels of NAT, but ultimately, the Internet of Things is what’s going to force us to run out of address space, for sure.”
NS: So, given the glacially slow take up of IPv6, isn’t this year a little early for an Internet of Things apocalypse to happen?
“I think researchers and attackers are really going to focus on the Internet of Things in 2014”
CN: “Well, I don’t think the Internet of Things apocalypse is going to hap-pen yet. When I’m talking about the Internet of Things, I’m talking about any sort of ‘stealthy’ computer devices. People automatically associate phones and tablets with the Internet of Things, which is good. It means that people realise a phone or a tablet is a network device. But have they realised that pacemakers can now be network devices? Have they realised that that cool little video monitor that they can move around for their baby is actually an IP webcam? Have they figured out that the neat quadracopter they bought, that can connect to their wireless network, and they can drive it with their iPhone or upload way-
points, is a computer? And, of course, you’ve heard of the fridges, and the smart TVs. So I’m more concerned with the things that don’t look at all like computers, but really all they are, are embedded computers that often have wireless chips to get all kinds of neat innovative features and the innovative features are very cool. But the problem is, these stealthy computers end up on our networks just like any other device, and sometimes they’re even publicly-available. They might even use UPnP, the automatic plug-and-play protocols, to get network access out. You may have heard, last year, about the baby camera hacks.2 A particular baby cam-era monitor is really just an IP webcam, which was pretty easy to allow public access to the world, so you could check up on your baby at home from your iPhone. A cool tool, but it was pretty trivial for anyone to override the pass-word log in, and get onto those baby cams, and many other IP cameras.
“So I don’t think we’ll have the apocalypse, but I think researchers and attackers are really going to focus on the Internet of Things in 2014. Rather than seeing all the attacks against a par-ticular flavour of software, whether it be Mac or PC, I think you’re going to see a lot more people coming out with, oh look, I can hack this quadracopter, or people that are doing more detailed research into car hacking, and anything else that is really a small, embedded computer. You already saw some of that in 2013, but I really think it’s the new vogue, a place for researchers to go, and the attack community do follow the researchers.
“Now, that being said, as far as the criminal part of hacking the Internet of Things is concerned, for criminals to do it, it has to be monetisable. There has to be some way for them to make money. Hacking baby monitors is not really going to make them a lot of prof-it immediately, so the type of Internet of Things they will focus on is defi-nitely the smartphones and the tablets, for the near future. But later on, when you start having Google Glasses, when you start having various other devices that we use on a daily basis, and we do
start storing sensitive information, I do think you will see criminals move in that direction.
“I will also mention, there are some-times other ways malicious criminals have used hacking the Internet of Things, such as IP webcams, to not make money but to extort people to do things they really shouldn’t be doing online, and sharing that publicly, or at least extorting them further after that. So even when you’re attacking something like a webcam, there are ways you can at least make money, or do something that is bad.
“We’re seeing the explosion of the Internet of Things. I just want people to be aware of all the devices beyond just smartphones and laptops, that have computers and wireless access nowadays. Now, the cool thing about the Internet of Things is they all speak TCP/IP, so many of our security controls still apply to them. The key thing security firms and security vendors have to do is make sure that we keep up with protections that are focused on these things too. So rather than just having, for instance, IPS signatures for Windows and Macintosh attacks, we need to have it for IP cam-eras. We need to have it for NAS storage devices and the multiple other things that really are networked to computers on our networks.”
About the authorSteve Mansfield-Devine is the editor of Network Security, and its sister publica-tion Computer Fraud & Security. He also blogs and podcasts on information security issues at Contrarisk.com.
Resource
page. www.watchguard.com.
References1. ‘WatchGuard Dimension’. Accessed
Jan 2014. www.watchguard.com/products/dimension.
2. Honan, Mat. ‘Hackers are exploiting baby monitors, but we know how to stop them’. Wired, 15 Oct 2013. Accessed Jan 2014. www.wired.com/gadgetlab/2013/10/baby-monitor-hacking/.
