In-Depth

Battling Blended Threats with Pattern Detection

IT needs to move from looking at events coming from particular sensors to recognizing patterns of activity coming into that infrastructure.

• By Mathew Schwartz
• 01/21/2004

Many experts peg blended threats—worms able to move through multiple means, plus carry operating system-specific payloads for example—as the next big threat for enterprise computers.

An enterprise information security should gain blended threat resistance, says John Summers, global director of managed security services for Unisys. Sounds easy, but a bevy of caveats stop most companies from just jumping in. The problem: the same layers of defense now protecting companies and their otherwise porous networks from attack make visualizing and pinpointing blended threat origin difficult.

Security Strategies spoke with Summers about how companies can clear the hurdle of layering their defense yet rapidly extract the crucial data needed to track outbreaks that do make it past corporate network defenses.

Blended threats, worm outbreaks, software vulnerabilities—how are companies responding to recent threats?

The balance that a CIO or CISO has to hit is to spend enough money to protect the infrastructure from both disruption and theft. You need to put in barriers and access controls to only let the good guys in, and then you’ve got to have visibility, so that if something bad does happen, you will notice and you'll have the appropriate data collected so you can go and figure out—should you get hacked—what happened and who did it.

So it's protection, awareness, and auditing. Now if you do all that right, it will protect you against cyber-terrorism [and other threats] to a reasonable degree. The question is, how much money do you need to spend to achieve that? Of course, that’s a different [figure] for a bank, say, than a Web site.

Sounds easy, but of course this being security, it’s probably difficult to get there.

What's hard is the visibility across all of your infrastructures. A good security infrastructure is a layered infrastructure. You've heard the term "defense in depth"—you want to have a good firewall on the perimeter, then on the inner zone, IDS (intrusion detection system) sensors to notice when bad things happen, then IDS on specific servers. What's hard—even when you've got that sort of defense in depth, and more and more companies are getting to that layering—is to move from events coming from particular sensors to patterns of activity coming into that infrastructure.

No doubt last year illustrated that?

During the month of August 2003 [alone] we had all those worms that hit and just laid people's networks to waste. Those were multi-step attacks. That wasn't just one thing happening—there were a number of things. To detect that, you need to look at events that are occurring across multiple events in your infrastructure, and looking at that over a specific amount of time, and that's what you have to watch in order to say that was Welchia. But that sort of visibility is hard.

Why is pattern detection so difficult?

A lot of data comes in, and there are some commercial packages that can help with it, but they tend to be very expensive. This is an area of focus for Unisys, from a managed security perspective, because what we're going to be doing is putting that [pattern detection] service in place and letting them take advantage of it on a so-called by-the-drink basis. [Normally] to get from event management to pattern detection is a lot of software, money, and bodies.

Once a company can match events to patterns, what happens?

Let me tell you about a specific example from the month of August 2003. For one of our customers, we manage and monitor an IDS network—and the IDS devices scattered through its network—and, like most companies, it got hit with the worm attack, and the issue was those were hard things to keep from getting into your network, because everyone's network is porous. Remote workers connect from home, they’re infected, boom, you're infected.

So the question was, where does the damage come from and how do we remediate? Specifically for the Naachi worm, we wrote specific correlation rules that said if you see a specific sequence of events happening, that is the signature of Naachi, and let's look at the specific source. So every hour, these rules would fire and identify specific computers or servers within their infrastructure that were infected. So we were having conference calls every hour, essentially giving [this company] a map across its infrastructure as to where it was infected. So it helped them remediate the network much, much faster than it could without an information service.

In the wake of blended threats, are companies shifting their security thinking?

Yes, it’s not just about security as protection, it's also about security as awareness and remediation. When you've got all three of those, well, you can try and put a wall around your infrastructure. But there's always going to be a way through—it's almost impossible to wall yourself off. The most complicated [things] mankind has built are pieces of software, and it's almost impossible to bulletproof.

So then it's about: do you notice, and what do you do if you notice? So [to have] a good enterprise security architecture, you do have good monitoring capabilities—24 by 7 by 365—and you have a good response time. And the Unisys response plan … it's a lot of software, a lot of servers, a lot of people-hours, and [you can] buy that as a service or make the full investment yourself.

What are the numbers for outsourcing security like this?

I don't have specific numbers to give you, but … one of the customers we've got for this service, they already run a network operations center themselves, they already have a specific monitoring staff, and they run operations 24/7. Their issue was how do I keep top-notch security talent available during that midnight shift? So they're purchasing that service because it's a more cost-effective way for them to have top-notch security available for that after-hours shift, which is, by the way, when hackers are likely to attack. So while I can't give you specific numbers, they did crunch the numbers, they're a financial firm, the return was there for them.