This post is contributed by Paul Kaspian, Senior Product Marketing Manager for IBM Security.
In network security we spend a lot of time looking at threats coming into our organizations from the outside. This makes a lot of sense considering the fact that our networks are under siege from increasingly sophisticated and well-funded groups of attackers. An effective intrusion prevention strategy that is able to adapt to new attacks is clearly essential, but what about the risk introduced by our own users? What types of threats are they either knowingly or unknowingly introducing into our environment and how do we mitigate those threats?
Answering this question is critical in understanding the risks introduced by users. What applications do they have installed? What web sites are they visiting? What does this mean for your overall security posture? After all, this activity can have a very direct impact on the overall security of the network. A perfect example is users that have unknowingly visited a site hosting malware. Many legitimate sites are now infected with malware, but there are obviously a large number of sites that are focused on malware distribution, often posing as their legitimate counterparts.
IBM has introduced several new offerings to help organizations get a better handle on the risk that is being introduced from internal use. This includes providing a next-gen platform for intrusion prevention that is able to easily monitor the use of both web and non-web applications, as well a granularly control their use. This means blocking access to obviously non-business related sites such as sites hosting malware or gambling sites, as well as tailored access to others. When combined with IBM�s security intelligence offerings, even more visibility and insight is provided including the ability to do event correlation and anomaly detection � critical pieces of functionality important in detecting multi-vector attacks such as Advanced Persistent Threats (APTs).
Comprehensive network security requires a balanced approach that addresses the risks introduced from activity on the network. Greater visibility and control of this activity is the real key to greatly reducing the risks and costs associated with a security incident.
Comparing politics and economics with information security is one of my strangest hobbies, that is for sure. But, these are basically the only two things I care about besides the basics of being a human so it winds up happening quite a bit. Not to fear though, this blog won't venture into the land of any of my political preferences. Instead, I want to look at the similarities between two things that at first glance might seem to share few of them.
I want to begin by looking at this notion around, "creating a job" and what that means, or if it's even possible. If you are following the current election cycle in the US at all, you probably hear a lot about jobs and unemployment and see lots of different graphs saying we're either doing well or we aren't. However, everyone is saying that they want to create more jobs. But do politicians really create jobs? Well, unless we are talking about directly increasing the number of people on government payroll, the government doesn't create jobs. However, that is not to say that government doesn't play a role in this conversation. Government does quite a bit to create an environment where job growth is possible. Regardless of your political preference, the balls that are up in the air here are things like tax rates for businesses, crime, property taxes, educational achievement in the area, quality of the regional infrastructure, regulations, natural resources, market stability, location, and the list goes on. Some of these do represent competing interests (can't have lower taxes and more government services), but balancing all of these factors successfully can result in creating an overall climate where employers feel comfortable growing their business and bringing on new people. While the job growth number is any easy one to get your hands on, the affect that any one program or tax law change impacts that number is almost impossible to accurately quantify.
While not a perfect analogy, there is a great deal shared between creating a job and detecting/remediating a sophisticated threat. Tom Cross does this talk on Advanced Persistent Threat and one of the best elements of that discussion is around the "kill chain" of an attack (reconnaissance, exploitation, infection, command and control, internal pivot, data preparation, data exfiltration). There are a lot of things that an attacker has to do between deciding to attack a network, and leaving said network with the desired data. If you approach the problem from a kill chain perspective, the goal is to look at the entire chain of events and apply security counter measures along the way, each capable of alerting you to an attempted intrusion. Tom mentions the notion that you want to strive for detecting an attacker at minimum in two different points in the kill chain. Only one means your defenses were too close to unnoticed compromise. Additionally, just because one security technology didn't directly detect the attacker, doesn't mean it didn't play a role. Hardened defenses in one spot can force an attacker into using different tactics. As an example, if an attacker wants the information in a database that sits behind a web application, but the web application was coded securely, this forces the attacker to loop through the back end and possibly attack the individuals with access to that database. Let's say the attacker is eventually discovered because of irregularities in database user activity, does this then mean that the application vulnerability scanning tools used to make the web application didn't factor in thwarting the attack? Of course not. Does this reality make it harder to understand the impact of any one technology. That it does.
At this point, it's a good time to return to this analogy around job creation. In both cases end results are tangible (you have more jobs, you caught the bad guy), but it can be difficult to quantify the impact of any one investment or decision. Success in these scenarios is often predicated on systemic strength. Just as with job creation where you are trying to create an environment where job creation can take place, with advanced attackers you are trying to create an entire environment where the attacker can be detected and defeated. In practice, creating that environment involves a whole ecosystem of different capabilities and expertise that may or may not play a part over the course of any given incident.
With that in mind, I am pleased to say that today's announcements are a reflection of IBM's belief in this notion around the strength of the system. Today was the first announcement around our Advanced Threat Protection Platform, with our new anomaly detection appliance headlining the show.
There are also integrations between X-Force/our Network Intrusion Prevention System with our recently acquired Q1 Labs technology as well as the addition of "hybrid protection" to our Network IPS. The latter of these announcements complements the proven, ahead of the threat protection found in IBM�s Protocol Analysis Module (PAM), with the open source capabilities and common syntax of SNORT.
While there is always more work to be done, this announcement represents the latest example of what we are trying to do in security, which involves addressing complexity not by proclaiming simple solutions, or a one product fix-it, but by bringing together a lot of different technologies and capabilities to deliver something greater than the sum of its parts.