Despite the same old budgets and resources, midsized companies have to contend with new and more complex security attacks. Here's how a few are rising to the challenge.
Microsoft discovers a vulnerability in its domain name server but says it may take weeks to deliver a patch, and the W32/Delbot-AI worm promptly launches attacks using that flaw. Two research houses predict that pinpointed attacks on select companies will soon replace broadly targeted worms as the greatest threat to corporate computer security. At a Usenix conference, experts warn that botnets -- which use a collection of compromised computers to steal financial data or send spam -- are getting increasingly complex and more capable of taking over more computers and accessing important data.
That was just some of the bad security news that came out in a single week this spring. While information security teams still struggle to plug new holes in technology and avoid broadly targeted viruses, they have to keep an eye on the threat of a carefully architected and targeted multi-vector attack.
Information security managers know that teams of hackers are working around the clock to craft multi-vector attacks, pairing the best and brightest of the bad guys. These attacks probe a company's network simultaneously in several ways -- leveraging spam, searching for gaps in firewall coverage -- thus giving hackers a better chance to find a hole in a company's security. Multi-vector attacks clearly raise new challenges for midmarket companies strapped with the same limited resources. Yet smart CIOs are turning the tables and adopting a multifaceted approach to defense that employs several security technologies as well as tools from outside the security realm.
Just how prevalent are multi-vector attacks? "The sense of people deliberately banding together to put some multi-vector threats together is relatively new," says Stephen Fried, vice president for information security and privacy at Milwaukee-based Metavante Corp. "When you take a look at the history of attacks that we've been seeing in the past few years, there has been a lot more talk about multi-vector than we've actually seen in the wild, but I think its day will come."
Multi-vector attacks can take many forms. For instance, an attacker who uses social engineering to gain personal information from users might join forces with someone who uses distributed attacks or distributed spam networks, says Scott Crawford, senior analyst at Enterprise Management Associates (EMA) in Boulder, Colo. "The ability to work together in order to achieve common goals is getting to be a much more serious concern, which raises the bar even further on the ability of IT to be able to cooperate with security and leverage integration across IT to achieve their own common goals."
Several factors set a multi-vector attack apart from the general release of, say, a virus or worm. First, a multi-vector attack targets a specific company, often with the intent to do harm or steal information. It also uses several avenues to gain entrance, with one or more of those attempts often acting as a decoy to divert the security team's attention from the real attack.
"Midmarket companies are exposed to the same types of threats as larger companies, although they probably are more at risk from multi-vector attacks," says Jerry Murphy, vice president and service director at Robert Frances Group. "It used to be that security threats were like high school kids coming by and toilet-papering a house. It was obvious that it happened, and it looked really nasty, but at the end of the day nothing was really damaged. Today, the threats are much more like spies watching from behind the bushes at all the entrances to your house to see where you hide the key so when you're gone they can sneak in and steal stuff."
Some CIOs draw on multiple security technologies to defend against multi-vector attacks. Security information management (SIM) systems, for instance, monitor and analyze huge volumes of data in the logs of firewalls, intrusion detection systems and other tools to spot attacks, thus taking the burden off human eyes.
"The challenge I have from the SMB perspective is having the staff and cost-effective tools to monitor all of our systems," says Mark Willford, manager of IT at DirecTV Castle Rock Broadcast Center in Castle Rock, Colo. "We don't have the luxury of having a dedicated security department. I have a staff of 19 people that is responsible for everything from toner replacement to managing a very large ATM backhaul network. So my staff wears a lot of hats, and part of our responsibility is making sure that our data is secure."
Willford wanted a system that could correlate log files from various servers, firewalls and other components and offer real-time alerts about suspicious activity. He also wanted to be able to audit those log files. After weighing the pros and cons of four vendors, he chose TriGeo Network Security Inc.'s SIM solution. "It was almost a live-by-lunch solution that required very minimal setup," he says. "It was priced very competitively and met all requirements that I had, including minimal management and total cost of ownership."
The SIM system correlates most of the security device log files and provides real-time alerting by tracking event data from multiple firewalls, switches, routers and intrusion detection systems. Willford notes that his company may be an exception in the midmarket; rather than looking back after a problem occurs, he proactively audits logs. "We're able to catch things a lot earlier in the process, especially with virus activity that isn't necessarily recognized by one device but is recognized when correlated between two devices," he says. Previously, virus activity or a denial-of-service attack may not have been spotted until users complained.
Another midsized organization turned to SIM because it was a cost-effective way to extend the reach of its alerting capabilities. For about a year, Stillwater National Bank in Stillwater, Okla., had outsourced key monitoring functions such as alerting. While the monitoring service worked fine, it covered only one-fifth of the bank's 100 servers. It also didn't provide crucial log monitoring and reporting functions, including those required by various regulations such as the Sarbanes-Oxley, Health Insurance Portability and Accountability and Gramm-Leach-Bliley acts, says Laura Briscoe, vice president for information security at the bank.
"We already had the need for this type of monitoring. Your auditors and the laws all require that you have this type of monitoring and reporting in place, that you know who's accessing what kind of data on which box," Briscoe says.
Rather than extend its commitment -- and annual payments -- to the service provider, the bank looked at in-house SIM technology. Like Willford, Briscoe chose TriGeo. She says it not only offers functionality that beats out competitors, such as desktop agents and USB lockdown, but it also focuses on the midmarket, so the price was right. The bank was paying about $120,000 a year for limited coverage of its systems; for a little less than that on a onetime payment, Briscoe gets added functionality and network-wide coverage.
But it's important to note that SIM technology is still evolving. One IT manager says SIM's data monitoring rules, which vendors often define, allow SIM to catch some kinds of attacks but not all. Murphy says SIM also presents a resource challenge for midsized companies, which are less likely to have a dedicated analyst who can make the most of such a system through heuristic analysis. "There are some tools starting to put this stuff together," Murphy says. "But usually some human being has to put the rules in there to say what all this information coming from different locations means."
Research labs are developing technology to help midmarket companies better utilize SIM, creating tools that use histographic analysis to spot anomalies in SIM reports. The histogram would help map the mean behavior for traffic associated with specific applications. So if there is an increase in traffic on part of the network -- a sign of a possible problem -- an administrator could investigate. There may be a legitimate business reason, such as a special promotion, that creates additional activity surrounding that specific application, or it may be caused by malware.
Driving Security Innovation
Although handicapped by a shortage of resources and more dependent on proven technologies, midmarket companies may actually help drive innovative approaches to security, EMA's Crawford says. For instance, some midmarket companies are marrying security management and IT operations by leveraging a configuration management database to improve IT operations like patch management.
The midmarket is also helping drive the convergence of security and management technologies, particularly by demanding that tools in both sectors interoperate. "We're seeing major vendors adopt this story by bringing their core management technologies to bear on both security and IT ops," Crawford says. "You can expect to see a lot more visibility around that trend this year."
When it comes to server virtualization -- a popular development on the operations side of IT -- security and operations overlap. Crawford says that while the downside of server virtualization is that IT departments may have to authenticate servers, the upside is additional security by isolating a virtualized environment from security threats.
Another example of innovative thinking to defend against multi-vector attacks is when two elements of IT -- in this case, operations and development -- are united in a partnership to improve application security. Over the past two years, experts have emphasized the importance of having security "baked in" to new IT projects, whether they involve in-house development or packaged applications. Obviously it's much easier to deal with security issues throughout the development or acquisition process than on the eve of deployment.
Crawford notes the efforts of numerous vendors to deal with security during application development. Ounce Labs Inc., Security Innovation Inc., Fortify Software Inc., Watchfire Corp., SPI Dynamics and other software providers are working to help developers spot security flaws in code long before it reaches the deployment stage.
Whether or not they are multi-vector, insider attacks are perhaps the most difficult threats to defend against. "People have been focused on preventing bad guys from getting into the network, but what a lot of people don't realize is that a lot of the data that is stolen from a company is actually an inside job," says Robert Frances Group's Murphy. He notes that while 80% of threats are external, most of these threats can be dealt with. The remaining 20% come from inside companies, such as from database admins who sell information.
"It doesn't even have to be malicious," Murphy says. For example, a salesperson might have customer data that is encrypted in a back-end database but then send the data to someone in an email without knowing that Sarbanes-Oxley requires the transmitted data to be encrypted.
To address internal threats, Murphy cites Fidelis Security Systems Inc.'s Fidelis XPS (an extrusion prevention system) as a product that looks at all data crossing a network, checking patterns associated with sensitive data such as Social Security numbers. Other products take different approaches, such as Vontu's line of products designed to target specific portions of the network, such as an email server, in a search of sensitive information.
Controlling user behavior can also lead to adoption of older technologies. Murphy says a technology that once carried high expectations -- public key infrastructure, or PKI -- may attract new attention in the next couple of years. PKI isn't as ubiquitous as was predicted, largely because of the complexity of managing keys. "Using the key is easy," says Murphy, "but if you lose your key or leave the company, that data is now encrypted. So how do you or your company get access?" he says. But as standards continue to develop, vendors such as VeriSign Inc. now offer services to help companies manage keys.
Midmarket companies are looking at powerful technology such as SIM and PKI, as well as ways to combine disciplines, in order to meet the challenge of today's complex, multi-vector attacks. "In general, [midmarket companies] don't have the resources that the larger enterprises have, and so they have to look at solutions that have had wider penetration, more broad market acceptance and tend to be more mature," Crawford says. "They have to get more bang out of the buck for security."
James Connolly is a freelance writer in Norwood, Mass. He can be reached at firstname.lastname@example.org.
This was first published in June 2007