29 Jun 2012

Zero Day Attacks – Your security past, present and future

1 comment Permalink Friday, June 29, 2012
The problem with current security enforcement solutions is that they only enforce the policy that is applied to them. They detect and block what they know to be bad based on vendor published signatures. They only alert and report on what they have been told you are interested in seeing. These solutions are incapable of detecting and blocking Zero Day attacks whether they are targeted or not. On an an ever decreasing timeline prevention fails.

Current security enforcement technologies are heavily focused on real-time. When they fail to alert using signature technology the moment is lost. If you blink you will miss it and never know that there was a targeted Zero Day attack against your network. The promised alert was never triggered and the information and context of the event is lost forever.

How does it make you feel when you hear or read about a newly discovered vulnerability or Zero Day attack? Do you get that uncomfortable feeling, wondering if you are affected? Do you truly know what is in your network?

Keep in mind the timeline of a vulnerability remembering that the timeline is accelerating.

How long Zero Day attacks are in circulation for before a vulnerabilities Disclosure Date is difficult to ascertain. However we know that Zero Day attacks are used and used quite often (RSA, Stuxnet, Flame etc). From our recent consulting research (Vulnerability Data Analysis) the time period prior to the Date of Disclosure can be considered the Zero Day attack window. The time window between a generally available exploit and the Disclosure Date is almost zero. In the example of Metasploit project there is enough data to state that working exploits are available on the day of disclosure.

This is a significant departure from the general view that IPS will provide some measure of coverage until a patch is released. It’s fair to say that not many vendors can truly detect or prevent Zero Day attacks. So how do you measure and review your exposure until you can apply the new IPS signature or patch? Furthermore how do you know that the remediation work performed protects you from this specific vulnerability going forward?

The reality with IPS/IDS and Next Generation Firewall vendors is that you won’t know. Until the new signature arrives, you won’t know whether this vulnerability has been exploited in your environment. Assuming the worst has happened and you find that you are vulnerable and there have been exploits, what is your next step?

Device logs may show hints of the exploit in the abscence of an IPS alert, but only at a point in time, and then only at the control points where you have deployed the security device. In some cases you may not even be logging the type of traffic (see my previous post Dealing with Data Explosion) required to understand the actual event. You won’t have enough of the data you require to understand the actual event.

It’s not the kind of problem you want to have and to be honest these are the kinds of problems we are designing Packetloop to solve. Aside from the high level goal of visualising opaque networks in respect to Threats, Sessions, Protocols and Files we want to find Zero Day attacks, identify the breach, establish the time window, determine what was stolen and provide full context of all these events to our Customers. We want Packetloop to play, pause and rewind the actual traffic that was part of the breach and provide as much context as fast as possible. A platform that allows you to easily sift through Terabytes of data and unlock the complex relationships that exist within network traffic streams and how they change during a successful breach.

By unlocking the power of Big Data and applying it to Security Analytics, you will also be able to gain a valuable insight into how your security systems performed during the breach, and where you need to strengthen your defences. There's only so much money to go around. Apportioning your security budget is difficult especially when you are making decisions without any data. Packetloop shows you your threat landscape and allows you to direct budget to where it offers you the most effective security. Packetloop gives you the Security Analytics you can use to make better decisions giving you clear intelligence for your network

Join our Beta release in the coming months and understand the power of Packetloop. We are focused on solving these problems and providing you with the information you need.

1 comment:

Post a Comment