by January 29, 2013 0 comments

1. In context of the ever changing security threats, which ones are more prevalent?

If you notice, the usage patterns of people have changed. We do many things online today which we once did offline, shopping being a clear example. So much so that in some cases we do not even care whether there exists an offline alternative. There is an increasing reliance on activities conducted using the Internet (and computing in general) in both homes and offices, and cybercriminals are accordingly fixing their targets.

Technical jargon which was associated with older threats, such as worms, backdoors, script kiddies, denial of service, etc. is no longer popular. When cybercriminals launch attacks today, the motive is not to earn fame as earlier but to obtain monetary gains or a competitive advantage in terms of intellectual property. They are always at least one step ahead of most of the defensive measures which we may take to safeguard against attacks and it is very difficult to catch up to their sophistication and organization. We may draft a number of policies to implement with regards to our security but in practice they do little to actually defend against attacks.

2. Are traditional security systems like firewalls, IDS/IPS, etc. sufficient to handle modern threats such as Zero-day attacks, APT(Advanced Persistent Threats) and other evolving security threats?

They are not enough by themselves. We do not intend to replace these tools but to complement them. Security solutions, such as ours, fill the gaps in typical security infrastructures instead of trying to be too many things at once.

3. Unknown threats such as Zero-day attacks are identified by most vendors through advanced heuristics. What are their limitations? Where do they fail?

You need to look at both signature-based and non-signature-based detection methods. No amount of education can prepare an organization to face APTs. Social engineering makes it difficult to totally avoid modern threats. For instance, attackers send personalized messages to specific targets considering their demographics, interests, designation, etc. in order to extract valuable information from them which the victims would readily disclose to a message which looks fairly genuine. Coming to heuristics, it is one-dimensional and a very blunt approach to APTs. To deal with this, what FireEyes’ VX (virtual execution) technology does is that it runs code in a sandboxed environment before letting it reach the rest of the network. Based on the outcome, it decides whether to allow or block the concerned traffic. Thus, it’s dynamic and real-time in nature as opposed to a static, signature-based approach. The Malware Protection System analyzes all the stages of an attack, from system exploitation to data exfiltration, in order to most effectively stop wouldbe APT attackers.

4. Signature-less detection of threats may not be always accurate. Can you share any statistics/reports about false positives with security solutions?

We have found that customers who configure a typical IPS face extremes with false positives. If they keep it too strict, the IPS tends to even block authorized traffic and produce a lot of false positives, whereas if they keep it too lenient, the IPS hardly does any sensible job of preventing anything. Determining any sweet spot in the midst is a nightmare for the IT dept. FireEye reports a very low amount of false positives. In any case, there exists a repository of vulnerabilities where you can verify whether the claimed threat is indeed a risk.

5. Given the trend of BYOD, does FireEye support iOS, Unix, Android, Mac, etc.?

Most BYOD use is for e-mail, which first passes through the e-mail servers and hence the end-point device’s OS is not of much relevance. Currently we have a focus only on Windows-based combinations of the OS and applications, since the OS runs on about 95% of the PCs worldwide. It is important to focus on applications too and not just the OS when you are trying to secure your systems or to evaluate how good a security solution is.

6. When organizations deploy IPS/IDS, what kind of latencies are possible which can result in a trade-off between security and network performance ?

Network security solutions including IPS/IDS add latency in ms (milliseconds). Latency actually depends on the load which the device is processing at any given point. An IPS/IDS operating in a normal load will add a latency <= 1ms. However the same device when overloaded or mis-configured can easily increase the latency in the network and can create performance issues. Many IPS/IDS are designed to bypass the traffic or stop scanning when they are operating under heavy load.

7. How relevant is the threat of drive-by downloads to Linux users since the payload even if downloaded unknowingly won’t be able to actually execute on it?

Microsoft having the largest install-base, drive-by downloads are usually targeted to exploit Windows operating system vulnerabilities or the applications running on Windows. Such payloads designed for Windows operating system can’t execute on Linux systems and hence has zero impact on these Linux systems.

8. How will the move to IPv6 affect network security? Will it become tougher or easier for attackers to compromise the network?

Network security has always evolved with time. We have seen security solutions evolving from various generations of firewalls to IPS/IDS, etc. IPv6’s primary goal is to increase the Internet’s address space. With IPv6 we will have enough IP addresses and more and more devices will be able to connect to the internet. IPv6 lacks backward compatibility with IPv4. While transiting to IPv6, the network operators have to run IPv4 and IPv6 side-by-side. This will definitely impact network security. Moreover IPSec is built-in in IPv6. Attackers will always find newer tactics to evade and compromise the networks.

9. Given the increasing trend of virtualization, what are the chances of a threat passing from one guest VM to another non-compatible/heterogeneous guest VM?

As more and more organizations opt for virtualization, malware writers will no longer miss out the opportunity to compromise the virtualized systems just as they do with physical systems. Majority of the malware will exit today when a virtualized system is detected. However, there is a trend underway with malware which is specifically written to target virtual machines once the physical machine is successfully compromised. The malware looks at any VMware machines on the system and accesses the virtual machine images to place the malware which will automatically activate when the VM boots up.

What solutions have you implemented in your organization to combat next-generation threats such as APTs? Are you finding your current tools such as firewalls, IPS/IDS, etc. incapable of defending your network? Write to us at pcquest@cybermedia.co.in

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<