New tools link enterprise, perimeter and next-gen security

The threat landscape for government enterprises is evolving rapidly and the stakes are ratcheting higher as public and private sector organizations become more dependent on distributed computing resources and remote access.

As a result, the focus in cybersecurity is moving away from the perimeter and the point security tools traditionally deployed there and toward the use of analytics and monitoring to provide visibility and rapid response.

“Advancements have introduced thousands of applications, threats and vulnerabilities into communications networks, which are increasingly hidden from traditional network security devices,” the National Security Telecommunications Advisory Committee said in a 2013 report to the president.

At the same time, both data and its users are more likely to reside outside the enterprise today. And targeted multistage attacks are becoming better at penetrating perimeter defenses.  “Solely securing network perimeters is no longer an effective method to address dispersed computing platforms, greater worker mobility and social media,” the NSTAC report concluded.

But although security is moving beyond a reactive model based on point security products to one of enterprise awareness and response, this does not mean that point solutions or perimeter defenses are obsolete.

“These are things you still have to do,” said Wallace Sann, federal CTO at ForeScout Technologies. Firewalls, antivirus, intrusion detection and the like still are picking off the low-hanging fruit of cyberattacks.

And although these tools are not enough by themselves to stop stealthier targeted attacks from penetrating chinks in perimeter defenses, they can also generate essential data that can be used to create better awareness of what is happening inside the network as well as at the perimeter.

The challenge is to enable communication between these legacy and new devices and take full advantage of that data.

 New security priorities

The president’s advisory committee recommends modernizing network security not by migrating away from current point security tools, but with a process of upgrades and additions, including:

• Implement security technologies and techniques providing for network defense-in-depth, protecting network users, devices, data and applications wherever they are located. 
• Upgrade legacy network security technology with next-generation tools and processes. 
• Use automated data analytics that take advantage of the nex- generation tools to achieve real-time contextual cybersecurity.

The change can be difficult to make, however. Security officials know what they need to do, but budget priorities often do not keep pace with needs, said former White House security advisor Richard Clarke.

“The money goes to firewalls, the money goes to antivirus, the money goes to intrusion detection and prevention systems at the perimeter, when we know the systems fail all the time,” Clarke said.

However, this is changing as federal security guidance moves away from reactive defenses toward enterprise awareness. The Office of Management and Budget has required plans from agencies for implementing Information Security Continuous Monitoring and for providing automated feeds to a yet-to-be-developed dashboard plotting the security status of government IT systems.

The OMB memo is just one step in a evolving set of security tactics that include the Homeland Security Department’s Continuous Diagnostics and Mitigation program (CDM). To cover the shift in these requirements, the General Services Administration in August awarded Blanket Purchase Agreements for the CDM program to 17 companies, who in turn are partnering with dozens more vendors to provide an array of off-the-shelf tools for monitoring network activity and the status of agency IT systems.

New security tool sets

The initial task order makes available the first four of 15 “tool functional areas” in the CDM program. These include hardware asset management, software asset management, configuration management and vulnerability management. Additional functional areas will be added as requirements develop.

The tools under the CDM BPA also comply with the Security Content Automation Protocols (SCAP), a collection of specifications developed by the National Institute of Standards and Technology to let products from various to vendors communicate and interoperate.

The requirement for agencies to use SCAP-compliant tools when available has spurred development of interoperable products to automate security tasks and share information, making continuous monitoring practical.

The point of SCAP and the CDM program is to break down the silos of data being generated by point security products, enabling real defense in depth with tools that talk to each other. A new generation of tools is emerging, leveraging data to provide greater visibility, analysis and faster response for enterprises.

These new tools work with point security, not in place of it. “They are as good as the point products sending data to them,” Sann said.

How vendors are reacting

ForeScout’s solution for data sharing within the enterprise is ControlFabric, a set of technologies that lets the company’s CounterACT endpoint control tool interact with other IT security products on the network. It not only allows management and enforcement of security policy on endpoint devices on the network, but helps enable continuous monitoring and mitigation through products already in place.

The CounterACT platform provides visibility into the configuration and security status of computers on the network, including whether patching and anti-malware are up to date and what applications are running, and can detect malicious or risky activity. It can also respond to policy violations with alerts, restricting access or remediating the computer. 

The obvious limitation of this type of functionality is that it is operates only within the network. With increasing numbers of users connecting to enterprise resources remotely through desktops, laptops or mobile devices outside the agency network, it is becoming important to have device visibility outside the perimeter as well as inside it and to extend the reach of enterprise management tools.

ForeScout plans to address this need with the release later in 2014 of RemoteControl, a free downloadable software option for CounterACT. Placed outside the network in a DMZ, it can monitor and update remote endpoints when not connected to the agency network. To do so, the SecureConnector lightweight client opens a secure link to remote devices to enable monitoring and management without opening connections through a firewall.

Because of the increased use of personal devices in the workplace, RemoteControl integrates with other mobile device management solutions that provide compartmentalization for non-government devices, supporting the segregation of personal and business spaces.

Other endpoint approaches

Cylance takes a different approach to endpoint security, identifying malicious code on devices by using mathematical modeling. The company’s product, CylancePROTECT, compares the mathematical characteristics of software being examined against a large known population of code to make a judgment about whether or not it is malicious and let user policy control whether it executes.

The technique is fundamentally different from signature or behavior-based detection, said Cylance CTO Glenn Chisholm.

Signatures require a known sample of malware to protect against it, and behavioral tools require some execution to work. But “there is a great deal that can be seen in an object before it executes,” Chisholm said.

CylancePROTECT is an agent running on the endpoint that uses proprietary algorithms to model software being examined. Machine learning lets it respond quickly to allow or block execution based on the user’s policy.

“We know there is substantial variation in what is good and what is bad,” Chisholm said. But even new threats don’t have entirely new characteristics. “We don’t make assumptions; we are looking at the entire binary population and making a decision.”

Although the technique should make it possible to block zero-day attacks, it is not perfect in its judgment, Chisholm said. “Nothing is ever going to be 100 percent.” The tool scores the likelihood that a piece of software is malicious and leaves the decision on whether to block it up to the user. “It allows an organization to manage its own risk posture. You can be very conservative or you can be very liberal.”

CylancePROTECT is not a replacement for existing products, but a complement to them. Cylance provides APIs for other security tools to let them work with CylancePROTECT to manage execution of software on the endpoint.

“We don’t say this is the holy grail,” Chisholm said. “This provides another layer of defense at machine speed. You are still going to have to have other security controls,” such as access controls, data management and privacy controls. “All of these things are absolutely critical.”

Automated incident response

The first layer of network defense traditionally has been concerned with detecting and blocking malware, attacks or other malicious activity. But most security professionals assume today that a breach is inevitable in any targeted enterprise, and this means that incident response also should be automated. That is the niche of Invotas, a service and software offering from CSG International.

“We didn’t want to be another analytic platform,” said Paul Nguyen, president of CSG Invotas global security solutions. The focus instead is orchestrating breach response at machine speed.

Debuted at the RSA security conference in February, Invotas is based on 10-year-old software that already was being used in telco networks to communicate with thousands of devices and activate and deactivate services based on business rules. “We leveraged that same concept around predefined rules” for responding to a breach or cyberattack, Nguyen said. “We sit on top of other solutions” and direct the response.

Firewalls, intrusion prevention systems and other tools are connected through the Invotas platform and can be ordered to redirect or block traffic, reconfigure settings or take other predefined actions at machine speed. Most organizations already have policies for incident response in place that can be automated through Invotas policies, Nguyen said.

Work on Invotas began about two years ago and it was piloted in several federal agencies. Government is a core market for the product, and Nguyen said the company hopes to be included in the next round of Homeland Security’s CDM program offerings.

Social threats defense

Social engineering is another threat that can penetrate the best perimeter defenses. It is an old family of attack techniques predating the Internet, but it can leverage social networking sites today to create a new generation of threats. Social networking sites have become trusted platforms for communication, and a compromised account can become a powerful social engineering tool for spearphishing and damaging the reputation of individuals and organizations.

MTN Government, a satellite communications company, has begun offering a cloud-based service to its government customers to detect and block malicious social networking activity such as fraudulent posts or faked communications for phishing. The online personas of at-risk individuals are monitored for suspicious activity, which can be blocked or removed from the sites.

“The reason government is so interested in this is that social media are so pervasive; people accept it,” said Peg Grayson, president of MTN Government.

Powered by the ZeroFOX platform, the service runs in a secure network operations center. Behavioral signatures are created for customers and used to verify the monitored activities on social media. When activities are spotted that do not conform to the signatures, the customer is alerted. “It doesn’t require that an individual provide personal information,” Grayson said.

As with other analytic approaches to security, this protection does not take the place of other tools. “Traditional security products are one piece of a total risk-management profile,” Grayson said. Full security requires a suite of protection, both at the enterprise perimeter and on either side of it.