Trying to be faster than the bad guys


Even a security manager who has steered away from emerging technology has a change of heart when it becomes ever more difficult to keep up with the ways criminals can sneak into our systems

The end of Daylight Saving Time in the Northern Hemisphere signals the lateness of another year, and that means it’s budget time again at my company. I’m looking to fund some new ideas about how to keep us safe in an increasingly dangerous online world.

Security Manager’s Journal by J.F. Rice

  • Malvertising is a troubling trend
  • The sharks of the Internet
  • Milling with the hackers at Black Hat and Def Con
  • Assessing the value of cyber insurance

Now that I’ve been at my current job for a few years, I’ve had the opportunity to build a solid security infrastructure on my company’s network. My security information and event management (SIEM) system is running fine, and generating actionable alerts nearly every day. Patch management, which used to be something I had to struggle with, is now routine. The IT system administrators have the tools they need to deploy not only Windows updates, but software updates as well. Everything is being patched regularly. My staff have good tools for managing our data security technologies. Our malware detection and blocking tools are effective both on the network and on our computers, including the virtual machines. And our website and email filters are doing a good job of blocking unwanted content.

What more could I want?

In my last column, I mentioned that the bad guys have become much more sophisticated in their efforts to break into networks, using techniques like malvertising combined with advanced techniques to remain invisible to modern signature-based intrusion and malware detection technologies. These techniques include encryption of malicious payloads and traffic, the use of zero-day vulnerabilities ahead of antivirus product signature releases, and malware that runs in memory instead of the hard drive, all of which were effective at flying under the radar of my antivirus tools. As I mentioned in that column, this really worries me, more than anything has in a long time. I’ve been fortunate to have state-of-the-art technologies like my application firewall, which alerted me to these very stealthy threats. But I don’t think that’s enough.

A few years ago, a “security appliance” emerged that was supposed to be the next generation of malware detection. I have that product on my network, and you probably do too. It’s pretty good at what it does, which is to inspect network traffic, identify malicious behaviors, and open up file attachments and active data inside virtual machines to recognize the signs of malware. But it didn’t catch the malvertising attacks I experienced, and I’m no longer sure that one product is sophisticated enough to detect today’s malicious code.

As the criminals get more wily and skillful, I don’t think I’ll be able to rely on my current security technologies, as good as they are. I think I’m going to need something much more advanced — and I think network security technologies yet to be invented will have to keep pace with modern threats.

So I’m looking for something new to spend my budget dollars on, and that has led me to a couple of cutting-edge products that I would not otherwise have looked at. See, I usually prefer to buy tried-and-true products that other companies are using successfully, so I know I’m getting something reliable. I’m not one to be a guinea pig for startup companies that are looking for beta testers, because I need to have 100% confidence in my systems. But given the state of the current threat landscape, I’m starting to feel like I no longer have a choice. In order to keep up with the hackers, it’s starting to look like we will all have to move a little faster.

This has led me to evaluate some emerging products that aren’t yet fully established, but are truly behavior-based. I looked at four products that use heuristic analysis to observe the behavior of software to decide whether it is malicious. Two of them use a “profiling” approach, keeping a history of activity on each computer as a baseline of what’s normal. This is not new, by any means, but because today’s computers are very dynamic, with constant software updates and new applications, I’ve never had much success with this type of product in the past. But these new products claim to have a better, more reliable approach to deciding what constitutes normal behavior, and they look promising.

The other two products monitor system resources like memory and disk, and block “unwanted” activities like attempts to overwrite another program’s memory space, or privilege escalation. They use broad definitions of what’s considered “bad behavior” to stop malicious code. This is also not a very new approach, but again, today’s products look like they strike a good balance, so they shouldn’t interfere with normal software. At least I hope that’s the case.

I’ll be test-driving these products over the next month or two to see how they perform in the real world. But for now, I’m optimistically including them in my 2016 budget. After all, security has always been a game of one-upmanship. As the hackers continue to escalate their malicious capabilities, so must we improve our defenses.