This article was originally published on Technology.Info.
As part of our continuing strategy for growth, ITProPortal has joined forces with Technology.Info to help us bring you the very best coverage we possibly can.
Cybercrime is 24/7, 365 days a year and, more often than not, it is businesses, rather than individuals, that are targeted. Threats lurk within networks, endpoints or devices, often hidden in poorly configured settings or permissions, ineffective data governance, access management and usage policies. These unseen threats come from all perimeters of the organisation and major trends such as BYOD, big data, cloud, and mobile apps have increased the challenge faced by IT leaders.
According to a February 2013 report by industry research firm Ponemon Institute, data breaches have increased in both severity (54 per cent) and frequency (52 per cent) in the past two years. On average, it takes about 80 days for a data breach to be discovered and another four months for it to be resolved. Worryingly, one-third of all data breaches were never caught by the installed security software and hardware, suggesting a need for deeper levels of network security.
Firewalls and intrusion prevention systems (IPS) are now standard elements of a company’s network security architecture, but many may give businesses a misplaced peace of mind. Next-generation firewalls have revolutionised security but they come in many guises and CIOs need to ask some searching questions. To address the increasing number of threats that businesses are facing today, it is important that an organisation’s network security is able to detect anti-evasion techniques and has the ability to scan all traffic regardless of port or protocol, including SSL encrypted traffic. A robust solution will also have access to a cloud database of malware variants that is continually updated.
All intrusion prevention systems are designed to prevent known attack traffic patterns from penetrating systems on the network. But there is an inherent problem with the technology, since it can only block the attacks it sees and is already familiar with. Disguised code is a major problem and it is possible to trick the traditional IPS inspection engines into passing the traffic.
There are hundreds of types of encoding methods in use today, and new ones pop up regularly as attackers craft fresh evasions that can’t be detected by a traditional IPS. Complicating matters further, cybercriminals also blend and mix the different techniques. Chaining them by using more than one evasion at a time makes it even more difficult for the IPS to uncover and block malicious traffic. There are about 200 known evasion techniques that are recognised by IPS, according to Andrew Blyth, a professor on the faculty of Computing, Engineering and Science at the University of South Wales. When they’re chained together, they combine to create millions of unique evasions.
Businesses can achieve a deeper level of network security by adopting an IPS which uses anti-evasion, data-normalising techniques to uncover and block advanced evasion and obfuscation techniques before they can make it onto the network. This capability is critical to an effective IPS, since evasions that aren’t decoded and detected effectively render the IPS useless.
Although many vendors claim to have solutions to the evasion techniques that cybercriminals are using, choosing the right technology can be a challenge. Sometimes claims are just that — claims — and the IT department figures out too late that the security product they just bought doesn’t protect against new threats and evasion techniques. When picking security technology, be sure to look for products which are third-party certified to be capable of blocking a wide variety of attacks. In particular, solutions that have demonstrated resistance to evasion methodologies.
A final but important consideration for achieving a deeper level of network security is the importance of scanning both inbound and outbound traffic, regardless of the ports and protocols. This is often overlooked, with traditional IPS solutions focusing only on what’s coming in from the outside. This is a serious chink in your amour, since it can leave your company vulnerable to attacks coming from other parts of your network. Scanning ingress traffic is great for keeping the bad guys from breaking into your network but what if they are already inside either physically or because you have compromised systems inside your network?
Today, organisations can get best-of-breed firewalls and best-in-class intrusion prevention systems without the need to manage separate appliances, GUIs and deployments. Consolidated solutions offer higher security and easier management thanks to fewer consoles and consolidated security data, lower TCO and more flexible deployment options. Just be sure that the network security solution you have opted for goes deep enough and scans traffic from inside as well as outside your organisation.
Dell’s SonicWALL SuperMassive E10800 SonicOS 6.0 achieved a 100 per cent score two years in a row in NSS Labs’ testing for resistance to a variety of known evasion techniques, including IP fragmentation, TCP stream segmentation, RPC fragmentation, URL obfuscation, HTML Evasion and FTP evasion. “Not only were the fragmented and obfuscated attacks blocked successfully, but all of them were also decoded accurately,” according to NSS Labs.