Home > Computer forensics, Malware detection, Network protection > One way to secure the weak chain link

One way to secure the weak chain link

The enterprise IT market is becoming crowded with specialized products aimed at cyber security. Many of them adapt packet analysis on IP networks. Taking advantage of the fact that switching operates essentially at wire speed and that storage, in dollars per terabyte, keep falling, these products capture all packets, in some cases replicating offline for forensic analysis, in others analyzing packets as the flow by and recording metrics to log.

Some, such as Solera Networks, look purely for anomalies indicating cyber threats. They record and can playback, almost like tape, recent network activity with the added function of deep inspection of each packet. Real traffic can be compared to a database of known works and viruses, but looking for new threat behaviors must happen offline.

Others products, like Splunk, are used partly for cyber forensics and partly for application monitoring. They also use the packet coming into the network as the basic element for understand of and visibility into the network.

These products are located at the network hub, typically as a dedicated rack appliance, and they report either through their own dashboard or via another network monitor.

But security and network administrators also have to worry about a constant source of cyber evils, namely the end points their networks support. The bulk of end points are PCs. Judging from the attack patterns, the traditional anti-virus products and personal firewalls don’t seem to be that effective at stopping worms and viruses from reaching the network servers.

I spoke the other day with Aaron Barr, who heads up a four-month-old federal unit of HB Gary, whose Digital DNA resides in the RAM of PCs on the network. That’s where malware lives, and from where its behavior can be seen and analyzed by looking into the code itself. Looking at behavior is distinguished from looking at profiles like standard anti-virus products. Barr said detecting behavior — for instance, keystroke logging — is preferable because it takes into account the fact that malware self morphs as a way of evading profile-based detection.

Keep in mind that analysis and reporting tools are not intended for search-and-destroy, but rather to give the network operations staff a near real-time picture of what is going on and whether there are dangerous infections aimed at capturing keystrokes or other information.

Now the question is whether the mechanism exists for organizations to efficiently share information on threats so that response isn’t always a step behind the perps putting malware into the wild, where it hunts for vulnerable organizations.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: