Holistic approach to enforcing endpoint security

Today’s cyber-threat environment is increasingly severe, compounded by the growing number of vulnerabilities that are discovered weekly, the emergence of new types of attacks, the shrinking time between vulnerability discovery and exploit development, the propagation speeds of automated worm attacks, and the dissolving network perimeter. IT security teams are overwhelmed and traditional point solutions like firewalls, antivirus software, and intrusion detection systems (IDS) are inadequate protection by themselves. The threat is further exacerbated by the challenges involved in applying patches in a timely manner. What is needed is a new type of security element that pervades the network and automatically protects organizations from a broad variety of attack types and from all potential points of attack – inside or out.



Ultimately, security will be embedded within the network fabric, where traffic of all types data, like voice, and video, are delivered securely with the necessary QoS. The distinction between theoretical and real information security has become increasingly clear over the past several years. Common security technologies that enterprises once relied on to safeguard their data and networks no longer deliver all their promised protections.



As an example, a few years ago, antivirus products were generally effective at protecting enterprises from virus outbreaks. There were fewer exploits, and they typically took days or weeks to reach critical mass, giving IT departments enough lead time to deploy updated virus signatures before their PCs or network performance is degraded. By contrast, the latest worms and viruses can propagate vulnerable systems on the Internet in minutes.



Quarantine protection offer enterprise customers an unparalleled level of automated security, convergence and performance. Deployed as an overlay to existing networks or embedded throughout the enterprise network, quarantine protection also features intrusion prevention system (IPS) technology to provide end-to-end enterprise security.



Quarantine protection is the new concept needed for today’s emerging network security requirements

ANATOMY OF A GOOD IPS SOLUTION

First and foremost, an IPS must exhibit the same throughput, reliability, and latency characteristics of other network infrastructure elements, for instance, the routers and switchers. Network engineers have carefully architected their networks to deliver traffic from one point to another with specific latency and throughput requirements. Today’s business dependence on the network requires that they be highly reliable with near-zero downtime. If an IPS adversely impacts these network characteristics, it will never be given an opportunity to demonstrate its security effectiveness. Furthermore, these performance characteristics should not be dependent on the number of filters (or signatures) that is turned on or the type of traffic that is passing through the network.



Many organizations deploy IPS at the perimeter to augment existing security elements, but most are deploying these systems on internal network segments to protect against attacks from within. When multiple IPSes are deployed internally, they effectively provide “zones of containment” for any attack that may originate from internal sources such as remote office locations, VPNs, or someone plugging in an infected laptop. These internal locations have much more demanding performance and reliability requirements in the range of multi-gigabit per second throughput and sub-millisecond latencies.



ATTACK BLOCKING

Security effectiveness is measured in three dimensions: accuracy, coverage, and timeliness. Of these, accuracy is the most important. Accuracy ensures malicious traffic is blocked, and legitimate traffic is not. The performance and accuracy of a software-based product presents a zero-sum game. If a filter is added to the software engine, the CPU must process additional cycles and performance goes down. Conversely, in a hardware product that utilizes massive parallel processing techniques, additional filters do not necessarily impact performance. This relates directly to accuracy as well. For example, it may be determined that five conditions must be met to unequivocally identify an attack, but the 5th condition requires 90 percent of the CPU cycles for only 10 percent improvement in accuracy. A software-based solution is forced to choose between ignoring the 5th condition to trade off 10 percent in accuracy for 90 percent performance. This situation has plagued many software solutions and resulted in false positives (classifying legitimate traffic as malicious). While this tradeoff is often assumed for a passive IDS, it is unacceptable for an IPS intended to block only attack traffic.



Coverage refers to the breadth of attacks or attack vectors that an IPS can protect against. While this is tightly linked to accuracy, it is also dependent on the types of filtering methods that the IPS engine supports.



There are four primary filtering methods needed for the broadest protection:

1. Signatures – Basic pattern matching technique used for viruses or known exploits.

2. Protocol Anomaly – Normalization technique that can enforce compliance to a protocol specification.

3. Vulnerability –Method used to express application-layer rules to identify malicious traffic attempting to exploit an application or design vulnerability. These filters are the most difficult to develop, but the most proactive and comprehensive.

4. Traffic Anomaly – Method used to detect changes in behavioral traffic patterns that deviate from normal.



Finally, timeliness is the speed with which an IPS can offer protection against a new threat. In some instances, existing filters may actually protect against a zero-day or newly discovered threat. If vulnerability filters are in place, they can protect an organization before the existence of an exploit or worm. When a new vulnerability is discovered, a new filter or set of filters may be required for protection. Unfortunately, it is not uncommon for five to 10 new critical vulnerabilities to be discovered on a weekly basis. This means that a fundamental component of an IPS is the ability to be continuously updated with new filters, and not be adversely affected, performance-wise.



A realistic solution is to address the new realities of enterprise risk. To minimize so-called “Day Zero” exploitation of new vulnerabilities, the solution must protect networked computers proactively rather than reactively.



It must contain or stop threats and exploits immediately — preferably with minimal configuration rather than wait for signature or heuristic updates to be effective. It must also reduce the exposure of the enterprise network to attacks via any inadequately protected entry point. This means that every computer that connects to the network must be in a secure state, as defined by IT security policy. This policy could require that every endpoint be running a host-based firewall and an antivirus product with up-to-date signatures before it is granted a connection to the LAN. It might also require that a critical Windows patch and an updated VPN client be installed prior to network access. The solution must be hardened to the extent that it cannot be tampered with or disabled by either hackers or end users. Last but not least, the solution should secure network access across the entire heterogeneous enterprise network, regardless of the brands of networking products or operating systems in place. A solution that meets these criteria could have saved countless organizations from costly damage caused by exploits like MS-Blaster, Welchia/Nachi, SoBig.F, Netsky, Witty, etc.



To enhance the security of converged networks, quarantine protection incorporates innovative enhancements to prevent the propagation of cyber threats from within the network and to isolate or “quarantine” infected devices. The quarantine process prevents the infected device from harming neighboring systems.



As a base level, endpoint security should always include anti-virus software and OS patch updates. However, quarantine protection complements and goes beyond the simple verification of updated OS and AV signature packs to control the behavior of endpoints that are connected to the network. With quarantine protection, administrators virtually extend sophisticated attack filters from the IPS down to the desktop, while maintaining complete control at a central location within the network. It works with all network switches to enforce endpoint security and represents a philosophical shift from traditional security tools like firewalls and IDS, all of which require extensive configuration and manual maintenance, to an automated, holistic security solution.