Recently we at Sourcefire have been doing a good deal of talking publicly about our ideas around Information Superiority. The concept is not particularly difficult – the basic idea is that network security is a battle that is fought around who can bring superior intelligence to bear on network and device security problems. The goal of an attacker is to gain local Information Superiority – leveraging knowledge of an exploit, default password, topological flaw, etc. – to access a defender’s network or devices. A defender’s job is much more difficult because there is so much to know about modern network environments and they change so rapidly. The fundamental security problem that many defenders face is not securing their environment but gaining sufficient understanding of what they’re protecting and how it’s arranged so that they can begin the continuous process of securing it as it evolves.The traditional methods of network and asset discovery have been ill-suited to Information Superiority requirements because the scope of their operation is transient. For example, one of the chief network discovery methods used by many security vendors is to use active scanners to interrogate the environment for devices and their configuration which is then followed by more in-depth port scanning and credentialed access to form a picture of the network’s composition. The problem with this method of collection for the purposes of Information Superiority is that it only produces a picture at a moment in time. Further evolution of the environment is unknown until the next discovery scan and changes that run their lifecycle between scans are completely unknown.
In the traditional model of security this results in poorly configured security infrastructure, reduced protection and an increase of false positives (noise) as well as false negatives (missed attacks). At Sourcefire, we pioneered continuous network discovery using our RNA and, later, RUA technologies (now FireSIGHT) almost 10 years ago as a counter to this fundamental weakness in many security models that has lead to objectively improved results. With the acquisition of Immunet last year we significantly increased the level of awareness that we brought to the security equation due to its vantage point on the network and continuously updated telemetry about security-interesting events on devices. At the point that I really understood what we could bring to the table in terms of increased awareness I came up with the term “Information Superiority” to describe where we were headed with it and why I thought it was important.
There is another side of the problem as well that has only become apparent to me recently.
If you look at the vast majority of “blocking” products (IPS, FW, NGFW, AV, etc.) that are available today, what you will see is technologies whose opportunity to provide protection is transient in nature. An IPS only blocks an attack when it is in progress and has no follow-on capability if the attack definition isn’t in its signature library. An anti-virus system acts in much the same way. Firewalls, too. Even many of the new network-based client-side malware prevention systems are the same – except they have the ability to discover previously unseen attacks themselves (after letting the initial attack go through in many cases).
The problem with this approach is that the security technology only has one chance to do the right thing, after which point is has no ability to do anything about the attack or its after-effects. A good recent example of this is many of the newer network-based client-side malware protection technologies that are on the market. Frequently these technologies rely on methods like sandboxing or other binary analysis techniques to do their jobs and in many cases when they see a novel piece of content they analyze it out-of-band after letting the content continue on its merry way to its recipient. If an attack is missed it’s gone, these systems have no ability to keep track of “what happens next”. In the case of modern advanced malware the problem with this approach should be self-evident, that initial foothold is all that’s required to become deeply embedded in the environment and then mutate and spread.
As the Immunet technology was turned into what has become FireAMP, our advanced malware protection solution for enterprises, it has occurred to me that we might be on to something that’s almost entirely new in our industry. FireAMP has a number of really interesting features and capabilities but the one really strategic thing that it’s doing that I don’t think I’ve ever seen before is providing Continuous Capability. What’s that and what’s it got to do with Information Superiority? Let me explain.
FireAMP contributes to our overall Information Superiority picture by providing us with insight into the devices in a network environment and the executable content on those devices. Over time we gain a very detailed picture into what’s in an environment and what it’s doing since part of it is resident on the devices in the network and generating continuous telemetry that is received by our FireCLOUD infrastructure. The other side of the coin is that FireAMP also provides the ability to control and quarantine content on a device. Not only can we do that, we can do it at any time based on information that the operator of the product has available.
What does this mean? It means that FireAMP can detect and block advanced malware attempting to execute in an environment if it’s recognized as being hostile. However, if it’s not recognized via the automated detection engines in FireCLOUD and enters the environment its every action is still tracked and the full suite of response available from the FireAMP technology is available at any time. FireAMP never loses visibility of the content and is also tracking all of its actions continuously. This enables the user to respond comprehensively across the entire deployed FireAMP infrastructure at any time – users can clean up not just an initial infection but every mutation and additional piece of malware that it deployed in the user’s environment.
This is what I’m calling Continuous Capability, the ability to respond comprehensively and systemically across a deployed security infrastructure and it relies on Information Superiority in order to work. It is made possible because FireAMP has continuous visibility and tracking of activities by malware (and everything else) at the device-level of a network. Once continuous and comprehensive visibility is attained, Continuous Capability becomes possible.
The next frontier of these ideas should be explored at the network level. Today IDS/IPS and Firewalls/NGFW provide a lot the control mechanisms for the comprehensive, systemic response to identified hostile activity but the telemetry stream isn’t there in a timely fashion because we’re working on pure rule-based and signature-driven models instead of activity-driven telemetry collection and analysis as the foundation of rule/signature models. If engineering problems are worked out then perhaps someday network-based security technologies will also offer Continuous Capability.
0 comments:
Post a Comment