Early Alerting - The Key To Proactive Security
by Nigel Beighton - Special Projects Director for Symantec - Wednesday, 2 June 2004.
The security challenges facing today's enterprise networks are intensifying -- both in frequency and number. The Blaster worm arrived just 26 days after Microsoft disclosed an RPC DCOM Windows flaw and released a patch for vulnerable systems. The worm took advantage of what some security experts have called the most widespread Windows flaw ever. For a time, Blaster was infecting as many as 2,500 computers per hour.

One thing is becoming unmistakably clear: Time is no longer on our side. As an indication of just how much the environment has changed, consider that the far-reaching Nimda and Slammer worms had vulnerability threat windows of many months, leaving plenty of time for the vendor of the vulnerable software to create a patch and warn the public, reducing potential threat damage. A study conducted by Qualys and released in July, that correlated nearly 1.5 million scans over the course of a year and a half found that 80 percent of exploits are released within 60 days of a vulnerability's announcement. Security specialists often speak of the "vulnerability threat window," or the time between the discovery of a vulnerability and an exploit of that vulnerability by a specific threat. Blaster, as we have seen, arrived just weeks after Microsoft announced the RPC DCOM vulnerability, leaving little time for administrators to secure their networks.

I've observed that today's attacks are not only becoming more frequent, they are also becoming more complex, including polymorphic viruses, mass mailers, denial of service (DoS), and blended threats. Moreover, as enterprises continue to adopt new technologies (such as wireless and peer-to-peer networks, instant messaging, and broadband, to name just a few) and conduct more and more critical business functions online, they offer even more targets to attackers.

In such an environment, where attacks are becoming more frequent and more sophisticated, what steps can enterprises take to ensure business continuity? Increasingly, these organizations are considering implementing an early warning system.

Scanning the globe

An early warning system enables an organization to protect itself against approaching threats before they can affect operations. In cases where attacks are already under way, an early warning system can then provide a mitigation strategy.

At the physical level, an early warning system relies on a worldwide network of firewall and intrusion-detection systems -- maintained by thousands of data partners -- to aggregate and correlate attack data.

An early warning system can also look at events targeting a specific vertical industry. This information helps targeted industries better prepare for and prevent possible attacks.

Before an attack. An early warning service delivers notification of vulnerabilities and exploits as they are identified, providing information to help users mitigate a vulnerability before it is exploited. The system's analysts monitor potential threats across thousands of products and draw upon information from a plethora of authoritative sources. Analysts provide information not only about the vulnerability, but also about best-practices countermeasures to keep systems protected. A detailed analysis should be provided in each alert and update, describing its severity and potential impact, technical makeup, the systems that might be affected, available patches or workarounds, and comprehensive mitigation strategies.

During an attack. An early warning system also provides warning of attacks that are under way. With personalized notification triggers and expert analysis, the system enables enterprises to prioritise IT resources in order to better protect critical information assets against attack. Using statistically reliable attack information, an early warning system must deliver automated, prioritised notifications. Patches, countermeasures, workarounds, and additional references are also provided.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th