Rethinking Security/Network Boundaries

IT is reassessing how network administrators and security personnel can work together more effectively

Security: the new networking? While the change won’t happen tomorrow, moves are underway. Thank the growth of unauthorized instant messaging (IM) and peer-to-peer (P2P) use, plus fast-spawning worms able to quickly cripple corporate networks. With the need to balance the network’s security with its speed and uptime, many organizations are reassessing how staff from security and network administration can be better together. Security Strategies spoke about the trend with William “Sandy” Bird, the chief technology officer of Q1 Labs in Waltham, Mass.; the company makes QRadar, a real-time network behavior monitoring tool.

What’s the security rationale behind viewing the network’s behavior in real time?

Well, you could isolate Blaster, for example, down to the exact machines responsible for the infection. We’ve also seen, after deploying it, a huge pull to the networking group as well … to do things like bandwidth analysis, or … [after] deploying a new Oracle application, seeing the effect on the network.

What was the impetus for Q1’s approach?

The original idea came from [Q1 chief architect] Chris Newton, who was managing networks for about 13 universities and colleges. You can imagine what a nightmare that would be … He was having security-based events happen, and it was taking him quite a long time to solve them, so he had the idea that if he could track all the behavior on the network, but track how it happens, that he could solve a lot of these problems.

How do you track what’s happening on the network?

The whole premise of the technology is, it starts out with a surveillance of the network, [using] Cflow [packet routing]… a [Cisco-invented] method of auditing transactions in a network. We took that and extended it into the application layer … [to see] how applications are communicating from an application perspective, geographically, [and so on] … We build profiles, then monitor those for changes.

From that profiling side, we [can also] not only detect the next security-based [threats], such as worms, but [we’re] also a system for doing security policies … Organizations have visibility into what’s going on. For example, maybe you don’t want AOL [IM] showing up, because it’s not something you’re going to patch when it comes up [for repair].

Given the capabilities of tools like this, are you seeing more crossover between the networking and security groups in companies?

There’s a transition happening … Fifteen years ago, there was no such thing as a security department, it was all networking. Then as these attacks started happening, there was the need to have someone dedicated to [security]. Then as time went forward, there started to be these very separate functions—we had network and security people and they didn’t communicate very well.

In the last year, however we’re seeing a change … When a worm rips through your network, it’s a security problem because it has to be patched, but it’s also a network issue, it takes it down …

[Still,] the network guys are the “go” guys, make everything happen as fast as possible, and security wants to secure it all and slow it down … [This tension] is giving [organizations] the synergy to look back and forth. Some of the companies I work with now already … [have] groups starting to work with each other.

Don’t many security professionals still come from the networking side?

The best security people come from the network [side]. If you look at the guys who’ve truly been successful in security, a lot … have network backgrounds and just understand how it works.

What are the big catalysts for organizations to rethink their network and security groups’ relationship?

The first catalyst for it was … you had the big denial-of-service attacks happening … [Then] you had a lot of these worms hitting that were very devastating. They were taking down 911 services, people were affected. But the reality was people had purchased all these IDS’s [intrusion detection systems] and they weren’t helping …

Now, as we become more dependent on these networks, [companies need better visibility] … Also, security devices are never going to tell you that the application you just installed is poorly written, it’s broadcasting all sorts of information, but a product such as Q1 Radar will tell you, “this isn’t a security event, but [you better take a look at this].” As opposed to before, when we had a problem, we had to go pull a sniffer out of the closet and hope that what happened 10 minutes ago happens again.

If the network monitoring software sees suspicious behavior, can it automatically corral it?

Companies can define policies, be alerted … if behavior changes … [and] they can do actions based on an event. We even have one customer using alarms now as triggers to move machines into a VLAN [virtual LAN] that talks to a proxy server, and says to the user, "You need to download updates to remediate the problem." We see research networks and universities, for starters, doing [auto-remediation]. We also have some customers afraid of auto-remediation.

How exactly did the customer employ the VLAN?

[It] did some DNS trickery to actually inform some people [via] a Web page, “You have a half hour to fix it,” and … if [by] the third [warning] the user hadn’t fixed it, they pulled the machine off the network. They found 70 percent of the people actually fixed the problem on their own.

Given the growth of P2P and IM, how difficult is it, via real-time network monitoring, to unveil applications trying to disguise themselves?

[When we started looking at this] we discovered that more and more of these applications, especially the ones that were trying to hide, were trying to mimic Web traffic, [yet] when you dug down … it didn’t really look like [what it was mimicking]. About a year ago, we shifted to the application side of the house to try and detect those kinds of things.

The other thing we discovered from a security perspective was, when someone installs a [prohibited] application on a machine … they’ll install it on a port that looks like something else, such as the FTP or Web port, and to most network managers it looks like regular traffic. But … [if you look] beyond just header information, you see it’s not.

How rampant is P2P inside companies?

A percentage of our accounts are educationally based, and we have a background for this kind of stuff, but you’d be amazed how many enterprises we deploy into say, “We don’t have that going on.” Well, sorry, [in the corporate realm] we see quite a bit of [P2P]… or even gaming servers, because [the networks] typically have really high bandwidth links.

Can organizations feed information from existing security devices into your network view?

We do pull information in from firewalls, because there is valuable information there, and IDS’s—if you have an IDS that’s properly tuned … The reality is IDS needs to be properly set up. And typically with [a network analysis product such as this] you’re going to get 15 to 20 events per day you’re going to need to look at, not thousands [as with] an IDS.

One of the things we do differently than a typical security product is, where they’re looking for specific attacks, we look at the big picture, so when … a device—an IDS—might have [reported] an attack, we can follow on and say yes, but there’s not been repeat communication between the machine and server, which would indicate an attack. Whereas if two hours later we monitor a lot more SSH traffic between a machine and that server, we can flag that … We can flag those things that are behavioral changes, like a Trojan … or normal traffic the IDS wouldn’t pick up. We’ll still pick that up and report on that.

How do security managers conceptualize where this kind of technology would fit in their infrastructure?

Network behavior anomaly detection (NBAT), it’s the category Q1 Radar has been placed in, [though] … we [can] pull information from the IDS, which an NBAT doesn’t necessarily have to do.

Are any industries especial early users?

With any technology, you’ll end up with early adopters that aren’t typically any verticals in particular … but government to financial to media companies, there’s a broad range of companies across the board, even petrochemical and gas companies …. [Typically] it’s the people who have already deployed IDS … They have seen the limitations and are trying to address them.