ITC Security Threat of the Week – Week 14: Monitoring Emerging Application Security Threats – Signature-based IPS is not enough
The traditional approach to Network and Information Security is to use Defence in Depth or Layered Security. This approach relies on technologies that are common in all networks and information is readily available about these on the Internet.
The number of firewall vendors is not so high that an attacker couldn’t research a vulnerability that is common in most so he/she could target that vulnerability specifically. Also the main goal/priority is to have availability and accessibility on the Network and to the business applications, for example a Website, Remote Access SSL portals, etc. The access to these systems is critical to maintain a Business. If we think of a website, having port 80(http) open to it from all the Internet is a given. This is where the security of the applications, network and data becomes a real challenge.
When considering the perimeter security, the most common tools that are available are some sort of firewalls, IPS/IDS systems, HIPS, regular Security Updates, Anti-Virus applications, NAC, password and document management systems. Real-time event monitoring and next generation firewalls/application layer firewalls are also available. However the listed technologies are deployed with the defaults most of the time, and using the common signatures that were developed for the public, and not focusing on your Company’s custom applications and programs.
Using the available signatures is very important, but we need to look at adding an extra layer of security by focusing on the custom and the zero-day threats.
The key is Anomaly Detection. The idea is that even if your application is in-house built or if there is a zero-day attack that a signature has not been developed for, there is a chance in identifying anomalous activity. If an anomaly is detected, it does not necessarily mean that there is an ongoing malicious activity, but the detection of unusual behaviour can be used to originate an investigation.
The following key benefits can be the outcome of Anomaly Detection/Monitoring and Pattern Discovery:
- Identifying the Actors on the network
- Identifying applications and programs that are already installed and running on the network
- Detection of potential unwanted and unknown applications on the network
- Detection of unusual requests or potential misuse against the applications/systems
- Reporting capability of detected source IPs/user names/applications and correlation of the same
- Assistance with developing a dynamic quarantine/block policy that can be used on the network
ITC Secure Networking can provide infrastructure and security management using HP ArcSight to help building a monitoring solution that can detect activities flagged up by the commonly used signatures, as well as monitor and alert on events from custom bespoke applications.
ITC also provide consultancy and management of next-generation firewalls, traditional firewalls and IPS/IDS/HIPS systems, vulnerability management like Qualys and NAC solutions like ForeScout.
To learn more about ITC’s products and services visit www.itcsecurity.com, or call (+44) 207 517 3900.