Browse by year:
February - 2005 - issue > Cover Feature
Day Zero How do you stop a security attack?
Sridhar Jayanthi
Thursday, November 13, 2008
Most employees in IT departments of large enterprises are already aware of the term “Zero-Day” by now. The term may not be very new but it represents a new thinking amongst both vendors as well as customers of security products world over. A “Zero-Day” in IT security lingo essentially stands for an identified vulnerability that has the potential to be exploited. A Zero-Day attack is one that has not yet occurred but is looming on the horizon. When any software or hardware vulnerability is discovered either by a vendor or by an underground hacker, we have a “Zero-Day” that gets the pulse racing of any IT security personnel. The one hope is that they hear of this “Zero-Day” vulnerability before it does the rounds among malicious code writers and hopefully the security vendors have a solution for it before the exploit is let loose.

Just for a moment, think about the end game for an enterprise Chief Security Officer – it would be the day when all the systems are protected 24/7 from viruses, Trojans, worms, and hackers stealing data or destroying it or launching denial of service or buffer-overflow attacks. The CSO ideally would like protection from all this without having to react very urgently in any case. Until that happens, enterprises would constantly buy various products that promise to achieve the desired levels of protection. Enterprises would love to be in a situation where they have Zero-Day protection, without having to jump out of bed and rush to office to update signatures or be on the phone trying to rectify an infected system. In short, they would prefer proactive protection that is “always on” rather than reactive protection that requires manual intervention.

There are a few trends that are driving the market towards proactive protection. The first is a gradual transition of the security market towards products that promise “intrusion prevention”. I use this term loosely since there are very few real intrusion prevention systems in the market today. Most security product vendors merely provide intrusion detection (IDS) with limited ability for automatic action. Considering the limited capacity to prevent attacks proactively, it is almost certain that IDS technology would almost surely be history in a very short period. Enterprises are increasingly looking for a reliable and comprehensive IPS package that can be trusted to stop the viruses rather than an alert about an intrusion into the network.

Intrusion prevention (IPS) technologies could be either network-based or host-based, and serve different purposes. In both models, the IPS is looking for known and unknown patterns of attacks including signatures, behavior anomalies, using rule-based engines that can learn “normal traffic” and recognize “abnormal traffic”. There already exist intrusion prevention systems that support gigabit networks with low latency in this newly maturing market.

The second trend is the commoditization of anti-virus software, and AV products on desktops and servers moving upwards in the value chain to include minimal desktop firewall and IPS characteristics. It is not far from the day when plain anti-virus products would cease to exist for enterprises and even consumers. The idea is to protect a system from multiple threats including viruses, buffer-overflow attacks, unwanted programs or spy-ware, block illegal access of servers and other such threats that target a system regardless of whether it is in an enterprise or at home.

The next trend is a steady transition towards multi-function appliances that play the role of intrusion prevention and firewall, whose goal is to allow a much tighter integration of firewall policy with intrusion prevention policy. These appliances of the future will be able to stop viruses and hackers while providing integrated management and visibility into security events across IPS and firewalls. There is bound to be confusion, a few years from now, on the customers’ end as to what appliance to purchase, an IPS from a firewall vendor or a firewall from an IPS vendor? Although the answer for the near future will most likely be a hybrid system from more than one vendor that work together to provide the right level of protection with ease of management.

Recently, there has been a gradual grouping of security vendors trying to develop hybrid systems that provide protection from systems that bypass the gateway and get into the network directly. This could be either laptops or PDAs being plugged into the network or employees connecting to the network remotely, via VPN or otherwise. Firewall and anti-virus vendors have teamed up to ensure users are compliant with security policies before they are allowed on the network. For instance, if a user without the appropriate level of protection on his/her system tries to login to a company’s network from home, the firewall will validate the required level of protection and provide the user a choice to update before providing access to the network. This could be equally true for someone who tries to plug-in a non-compliant device into the network even inside the company.

The toughest one to predict is how and when we will be able to reach the end-goal of complete Zero-Day proactive protection. For this, I feel we need to take a few lessons from nature in how our bodies protect us from malicious organisms. In many ways, what we are trying to do with networks and systems is not very different in concept. The analogy being: Our body has evolved over thousands of years and has learned what it needs to fight and protect itself. The body has multiple layers of protection starting with skin, hair, fluids, membranes, bones, red/white blood corpuscles. It has also deployed different security mechanisms for different parts of the body like ribs to protect the heart and the lungs, skull, senses and reflexes to protect the brain. This is analogous to security systems targeted at various aspects of the IT infrastructure like the network, web servers, mail servers, and the desktops. It is not sufficient to protect the body or the infrastructure by securing only one aspect of the system. Each area needs a separate approach depending on the usage and exposure. As the attacking organism changes, the body needs to provide new protective measures. For each and every type of attack, either the body needs to figure out the protection by producing appropriate antibodies or a vaccination is required to induce the same effect. In other words, there is never an end to a constantly changing threat. Each countered threat results in potential for a new threat that is not stopped by the current security measures.

So how did the body manage to survive this long? Apart from the natural protection systems, the answer lies in how the body adapted its habits to ensure that the chances of attacks are minimized. Through experience, the human race has developed certain methods to protect itself – it could be the use of disinfected water (through boiling or otherwise), maintaining a clean environment, rejecting food that is recognized as bad, avoiding threats from other animals that appear malicious and simply avoiding dangers through experience learned over centuries. This experience should teach us that trying to write a system that can figure out all types of future attacks is futile – inherently it is likely to create other avenues that can be exploited. It is likely to be more fruitful and a faster path to complete Zero-Day protection to figure out a good balance between protective systems and user behavior; between flexibility and regulation of the network usage; between vigilance in a corporation and privacy; and above all, better training for users on best security practices.

There is no agency trying to end all crime in the world or eradicate all diseases in the world, and there is no reason that logic does not extend to IT infrastructure protection. There are only people and companies trying to provide systems that make it harder for the “bad guys” – the rest is up to the corporate security policy and behavior to minimize exposure to malicious attacks on Day Zero.

Sridhar Jayanthi is the Vice President of Engineering and Head of India Operation -McAfee Engineering Center. He is responsible for the Indian R&D and product development operation including the organizational development, operations strategy, and project execution. He can be reached at Sridhar_Jayanthi@McAfee.com

This article is reprinted with permission from siliconindia Inc USA.

Share on LinkedIn