29 Jun 2012

Zero Day Attacks – Your security past, present and future

1 comment Permalink Friday, June 29, 2012
The problem with current security enforcement solutions is that they only enforce the policy that is applied to them. They detect and block what they know to be bad based on vendor published signatures. They only alert and report on what they have been told you are interested in seeing. These solutions are incapable of detecting and blocking Zero Day attacks whether they are targeted or not. On an an ever decreasing timeline prevention fails.

Current security enforcement technologies are heavily focused on real-time. When they fail to alert using signature technology the moment is lost. If you blink you will miss it and never know that there was a targeted Zero Day attack against your network. The promised alert was never triggered and the information and context of the event is lost forever.

How does it make you feel when you hear or read about a newly discovered vulnerability or Zero Day attack? Do you get that uncomfortable feeling, wondering if you are affected? Do you truly know what is in your network?

Keep in mind the timeline of a vulnerability remembering that the timeline is accelerating.

How long Zero Day attacks are in circulation for before a vulnerabilities Disclosure Date is difficult to ascertain. However we know that Zero Day attacks are used and used quite often (RSA, Stuxnet, Flame etc). From our recent consulting research (Vulnerability Data Analysis) the time period prior to the Date of Disclosure can be considered the Zero Day attack window. The time window between a generally available exploit and the Disclosure Date is almost zero. In the example of Metasploit project there is enough data to state that working exploits are available on the day of disclosure.

This is a significant departure from the general view that IPS will provide some measure of coverage until a patch is released. It’s fair to say that not many vendors can truly detect or prevent Zero Day attacks. So how do you measure and review your exposure until you can apply the new IPS signature or patch? Furthermore how do you know that the remediation work performed protects you from this specific vulnerability going forward?

The reality with IPS/IDS and Next Generation Firewall vendors is that you won’t know. Until the new signature arrives, you won’t know whether this vulnerability has been exploited in your environment. Assuming the worst has happened and you find that you are vulnerable and there have been exploits, what is your next step?

Device logs may show hints of the exploit in the abscence of an IPS alert, but only at a point in time, and then only at the control points where you have deployed the security device. In some cases you may not even be logging the type of traffic (see my previous post Dealing with Data Explosion) required to understand the actual event. You won’t have enough of the data you require to understand the actual event.

It’s not the kind of problem you want to have and to be honest these are the kinds of problems we are designing Packetloop to solve. Aside from the high level goal of visualising opaque networks in respect to Threats, Sessions, Protocols and Files we want to find Zero Day attacks, identify the breach, establish the time window, determine what was stolen and provide full context of all these events to our Customers. We want Packetloop to play, pause and rewind the actual traffic that was part of the breach and provide as much context as fast as possible. A platform that allows you to easily sift through Terabytes of data and unlock the complex relationships that exist within network traffic streams and how they change during a successful breach.

By unlocking the power of Big Data and applying it to Security Analytics, you will also be able to gain a valuable insight into how your security systems performed during the breach, and where you need to strengthen your defences. There's only so much money to go around. Apportioning your security budget is difficult especially when you are making decisions without any data. Packetloop shows you your threat landscape and allows you to direct budget to where it offers you the most effective security. Packetloop gives you the Security Analytics you can use to make better decisions giving you clear intelligence for your network

Join our Beta release in the coming months and understand the power of Packetloop. We are focused on solving these problems and providing you with the information you need.
22 Jun 2012

Dealing with Data Explosion

0 comments Permalink Friday, June 22, 2012

Data storage capacity requirements in today’s enterprises are increasing at an alarming rate. According to CSC research, average enterprise data capacity will need to grow by 650% in the next 5 years. This is driven by increased user connectivity and an organisation’s dependence on the information these users create and exchange. Couple this with today’s mobile user requiring ubiquitous access to their data from any platform, anywhere, anytime and we can see why organisations are struggling to keep up with the storage requirements for this data explosion.

Security data storage has always had its own challenges. Firewalls, IDS/IPS and Vulnerability Assessment systems produce an ever expanding amount of device log data that is invariably stored for a period of time (up to 3 months) which may stretch out to years to meet policy or regulatory requirements. But do these stored logs help you when you have a security incident? Will these reams of logs be enough information to understand the incident, the breach, the exposure? Would you be able to perform the necessary forensic analysis on these logs? How often have you witnessed security professionals only logging blocked traffic, when the traffic you are really interested in is what is actually being passed by your security devices into your environment. This is the traffic that contains the serious threats worth worrying about.

In my previous post on whether  big can data solve the unfulfilled promise of network security, I discussed the traditional logging and reporting paradigm, and how it doesn’t allow you to reproduce incidents with enough fidelity to detail the breach, the time the intruder was inside, the systems they accessed and the data they stole. Device logging  doesn’t give you full range of options, and it may not even alert you to an incident. The only way you can truly assess the security of your network is to analyse full packet captures of your traffic, you are presented with a new and interesting challenge. However a single gigabit network can transport terabytes of traffic a day. How and where do you store full packet captures (weeks or months) of your network traffic.

The only true representation of your data, is the data itself. The only way you are able to play, pause and rewind attacks completely is to store an entire copy of all the traffic.
The Cloud offers extremely low cost, high capacity storage which is perfect for short term storage of this sort of data. It offers secure upload and encryption, and it can be replicated and distributed if required. You only pay for what you use, and for how long you use it. Coupling full packet captures with Cloud storage makes perfect sense. You capture the data, upload it, and let someone else store and process it for you.
Packetloop accesses the full fidelity of the data. It gives you play, pause and rewind It has access to all events and can replay them any time with new insights to find blended and sophisticated attacks or exfiltration. It scales, it's focused on providing executives with the metrics and overviews they are looking for (dashboards) but powerful enough to track and trace incidents.

Packetloop is designed to leverage Big Data to perform analysis of terabytes of full packet captures. Scalable to handle the data on your network now and into the future. Shouldn't you be giving your organisation the best chance of detecting intruders, containing the incident and remediating with the best evidence and information?
15 Jun 2012

Big Data: Can it solve the unfulfilled promise of network security?

0 comments Permalink Friday, June 15, 2012
We have now had nearly 20 years of vendor promises that if you buy and deploy this software or that appliance, you will be protected. And yet breaches are still occurring at an increasing rate, and organised crime relating to online systems is at an all time high. What went wrong?

The vendor’s assertions that their systems will detect, block and report all manner of threats are only partially true. No one system can do all of this with 100% accuracy. So we have continued to purchase and install a range of complementary systems under the guise of “defense in depth”, but in reality to cover the weaknesses or gaps found in our other systems. And still properly motivated individuals will probe your defences looking for, and quite often finding, a way in.

Current thinking dictates that we will block everything that doesn’t match an access policy, and then we will deploy a range of real time threat detection systems to deal with threats we are seeing in that accepted traffic. Finally we will add some sort of correlation system to consolidate and present the findings. We generally deploy this technology at the most obvious locations such as our Internet or partner links, remote access points, or around publicly accessible systems. We then need to employ a handful of skilled people to administer these systems, interpret the reports and alerts, and react to the findings.

This approach has a number of weaknesses;

  • Detection systems that find “zero day” attacks usually can’t do so until they have an updated signature.
  • The volume of information is large and accelerating
  • Single threat systems have their own error rates, which include false positives and true negatives
  • It only shows you what is happening right now, at this moment in time
  • It only shows you what you have asked it to show you, based on what the vendor can detect, collect and store.
  • It doesn’t allow you to query the data in any other way, to infer any other relationships.
  • These systems are biased to the vendors view only, which is carried through to the logs and therefore the reporting.

Most importantly, it doesn’t tell you anything about how secure you actually are. It doesn’t deliver any sort of baseline or metric that you can use for comparisons. It doesn’t tell you whether you are overly targeted. Assume for the moment the worst happens, and you are compromised. This current approach to security logging does little to assist you in determining when and where an attacker gained access, and it certainly does not help you identify what else this attacker did after gaining access. Compounding all of these problems is the increasing use of encrypted protocols to mask an attackers actions.

The team at Packetloop have worked in the IT Security industry for the past 15 years, and have seen the above problems replayed constantly with our customers. Our consultants have configured countless threat detection and SIEM systems applying everything we have learnt. We have done our fair share of security reviews and incident responses but have always been plagued by the question, “What aren’t we seeing here?”. There is always that nagging doubt that we are not seeing the entire picture, and that logs will only show us what was detected at a particular security check point in the system, and not the full conversations the attacker has with multiple systems once they gain access.

We were being challenged with these same problems by CISOs. In the face of increasing security spend, they were being challenged by their Boards who wanted to know:

  • How secure is my organization?
  • How does my organization compare as a target with similar organizations in our sector?
  • Is my organization really maintaining our compliance and regulatory obligations?
  • How effective is my organization's security spend in relation to our level of security?
  • Does my organization have the means for fully understanding the extent of an attack?

We asked ourselves what was the best form of data or logs to analyse in order to answer these questions confidently. The only answer we kept coming back to was full packet captures, taken from the most trafficked areas of the network. The packet capture gives us the exact context of the attack, and it allows us to investigate in a multitude of directions using the original data rather than a vendors logs from a specific network location. Most importantly, because Packetloop stores an exact replica of the data, we can replay it over and over again through a multitude of different threat systems, and we can test old data for the presence of newly identified threats.

At the same time as deciding that full packet captures would be our data source we were also looking at what tools we could use to find the sort of evidence we were after in such a large amount of data. All of the currently commercial tools that could offer some of what we were after required huge investments in capital for probes, collectors, consolidation servers and dedicated storage arrays for holding the data. What we needed was an engine that could process and store the huge amounts of data, but did so cost effectively, presenting the data in such a way that I didn’t need a doctorate to understand the findings.

This is where Packetloop came from. The simple premise of building the tool that we would want to use in our own security consulting business, and that could answer the questions and problems posed above. Packetloop is focused on Big Data Security Analytics, using the efficiency of the Cloud to store mass data. Packetloop aims to deliver high quality business intelligence, in an easy to understand format. Over the next couple of posts we will share some of the more detailed analysis of these problems and the thinking behind how Packetloop has been created to solve these issues.
5 Jun 2012

Finding Needles in Haystacks the Size of Countries

0 comments Permalink Tuesday, June 05, 2012
There has been a lot of interest in our presentation from BlackHat EU 2012. To save you having to download the complete video you can watch it here.