For the past 25 years, a war has waged between malicious programmers and the researchers trying to make computing safe for the enterprise. The battle has shown no signs of subsiding — once a new countermeasure is deployed, the hackers find new ways to make IT worried.
“Almost all malicious software comes from the Web, but the Web is becoming much more transactional,” says Gartner analyst Peter Firstbrook, referring to corporate America’s growing reliance on Web sites like Salesforce.com to conduct business. Yet, he says that as many as 60 percent of all publicly accessible Websites are infected with malware. That means the enterprise needs to deploy ever-more-intelligent systems to combat these threats.
Meanwhile, the world’s top security labs — such as those operated by Symantec, VeriSign, McAfee, Kaspersky and Kindsight — are working on innovative countermeasures that will soon make their way to the gateway appliances used in data centers, and none too soon. Here are five approaches security experts are taking to help beat the bad guys:
In the movie “Minority Report,” agents used “precognitive” techniques to stop a murder from happening. At Verisign Labs, new research conducted with Purdue University shows how predictive analysis can stop infections from occurring, helping the enterprise stay one step ahead of hackers.
The idea is to scan the publicly available Twitter activity of hackers and compare discussions about specific domains with existing threat databases, in order to assign a security “reputation” to Website domains. For example, hackers may discuss creating a new Web site to exploit a scandal in the news; if the new site is registered and code quickly appears after the Twitter discussion, the site would be flagged as malicious.
“We are connecting the dots between users and applications,” says Burt Kaliski, the CTO of Verisign, explaining how this new technique uses social behavior to track down hackers.
For the enterprise, it means the research could lead to an endpoint appliance that quickly categorizes sites according to reputation. The rankings would change based on the analysis of Twitter feeds.
Firstbrook says these techniques are important because, once you track down one site from a malware purveyor, you can usually start uncovering more sites and build a database of activity. He says Blue Coat Systems’ WebPulse **** ( http://www.bluecoat.com/security/webpulse ) uses a similar “reputation analysis” technique to scan for domain registrations by known hackers. He also notes that most security labs already monitor chat rooms and that Verisign “will not solve the problems of the world by monitoring Twitter.”
Rob Enderle, a principal analyst at Enderle Group, says these early-warning systems will be valuable to the enterprise because they provide some amount of preparedness for an impending attack, especially if it is a Stuxnet-style threat.
2. Scan Outgoing Traffic for Signs of Client Infection
The traditional approach to IT security involves scanning endpoints for nefarious agents – the malware, spyware and viruses that can cause damage to the enterprise. Yet, many large companies have learned to scan endpoints for both incoming and outgoing traffic. That way, an appliance can block attacks from infecting client devices, but can also scan for outgoing calls from clients infected by malware. Once the outgoing activity is flagged, managers identify the culprit and remove it.
Kindsight Security Labs, founded in November, is working on research that will scan outgoing traffic as a way to find out which clients have been infected. The innovation is that the security appliance’s sensors use 16-, 32- or even 64-processor cores and a 10GB switch to monitor traffic for broadband carriers. (The sensors are now available as a product for Internet service providers, but testing the outbound traffic is still a lab project.) The appliance can be scaled to support 250,000 users per endpoint. In tests, Kindsight has installed as many as eight appliances that can support one million users.
“We monitor traffic and dynamic IP allocations and can tie that back to the subscriber,” says Kevin McNamee, security architect and director of Kindsight Security Labs, who says the provider can then contact subscribers about possible infections. This network intelligence means the provider can be more proactive and offer steps to eradicate a threat. For the enterprise, this model can show how IT staff could monitor threats and tie infections back to specific devices, at an enterprise scale.
Scanning for suspicious activity can often lead to finding the culprit on the client device. “This technology can monitor outbound communication and look for ‘phone homes’ to see if a client is infected and try to figure out what is going on,” says Firstbrook, the Gartner analyst.
Firstbrook says there is one problem with the model for enterprise computing. In a large organization, there is often a disconnect between the networking team and desktop operations. One is in charge of monitoring traffic on the network, and one scans client devices for infections, but they are often disparate teams that do not work closely together.
Enderle argues that this type of outbound scanning will be all but required for every large enterprise because of the proliferation of Android devices, which he says are extremely vulnerable to attacks.
3. Create a Unified Database for Judging Code
One of the age-old problems with virus-detection software is that, when a new virus starts attacking corporate computers, the signature files often aren’t capable of detecting the new threat.
In order to figure out whether unknown chunks of code are malicious or not, security vendor Kaspersky Lab has patented a technique for building an XML database that combines research from multiple labs, databases, antivirus modules and other sources.
Essentially, the technique builds an XML of trustworthiness for new pieces of software and Web sites. The XML would be “open source” in that all labs could feed data into it and use the data.
“The statistics about unknown objects, such as executable files or URLs, are gathered from a range of sources, such as user computers where our antivirus products are installed,” says Oleg Zaitsev, the researcher who invented the system. “They are then accumulated at our end and sent to various services using a unified format for viewing data. The services receive incoming information and use it as a basis for assigning a verdict — whether the unknown file is malicious.”
Firstbrook notes that this idea of sharing trustworthiness about new apps and Web sites is already commonplace among competing labs, but the new research seeks to formalize the process. He says labs will write initial code to combat a threat, and then even pass that code onto other labs. With a standard XML database, the process would run smoother and more effectively.
The research has major implications for how enterprises conduct security sweeps. For example, Zaitsev says large companies could similarly collect code reputation information, even from competing companies, and then study the data either for immediate action or long-term analysis.
4. Block Rootkit Attacks at the Silicon Level
One of the most nefarious attacks on enterprises involves a rootkit program that runs before the operating system even loads. **** McAfee Labs has developed a new analysis engine called DeepSafe that can scan the kernel and other code that loads when a computer first boots. Already released as a product called DeepDefender, the next step in the research phase is to tie new rootkit scanning techniques to the actual processor development at Intel — a step that makes sense for McAfee now that the security vendor is a wholly owned subsidiary of Intel.
“The vision we have with Intel is for worry-free computing,” says Vimal Solanki, executive vice president for corporate strategy at McAfee, who envisions a day when every tablet, notebook, smartphone and desktop computer has security protection at the silicon level.
Firstbrook says DeepSafe is an ambitious project. He says the one major advantage over other rootkit scanners is that DeepSafe works in real-time, blocking threats before they trigger. Firstbrook says it also has a disadvantage: It works only on Intel processors and only with Windows 7.
For the enterprise, kernel-level detection is critical, he says, but executives should be aware that this kind of protection is not cheap and the analysis can lead to some alarming false-positives.
5. Prevent Employees From Leaking Company Data in the Cloud
One of the most ambitious security research projects is code-named O3 (or Ozone) at Symantec Research Labs. It addresses one of the vexing issues for corporations: With Web-based applications like Salesforce.com or Dropbox becoming the norm, employees tend to share documents that contain confidential business without taking security precautions.
O3 is a single-sign-on process that remote employees use to gain access to Web apps. Anyone working from home or at a coffee shop for the day would use the O3 sign-on to be authenticated on the network, and then would be able to access Web applications. This provides two advantages: Users are authenticated and the data they share can be tracked, but at the same time the employees are allowed to use the online services they need to stay productive.
Rob Koeten, the O3 project lead at Symantec, says this protection is like another ozone layer above the cloud. He says it’s partly a realization that employees will use iPad and other devices to access corporate networks and share information in the cloud. Companies may not wish to restrict those devices or those services, but O3 lets them add a device-independent security layer. Corporate IT can analyzes the flow of data and block access to sensitive company data while allowing other kinds of data.
“Portable devices are believed to generally be unsecure and this provides another layer of security on top of them,” says Enderle. Even more important, he says, is the potential to limit “Wikileaks-type of events by restricting the ability to pass this information” outside of the enterprise.
Firstbrook called O3 a “Dropbox for the enterprise” in that the content sharing is not complicated, yet behind the scenes IT can lock down access to some services (like Facebook) while allowing others.
John Brandon is a former IT manager at a Fortune 100 company who now writes about technology.