Security Products

By Daniel Ryan · May 2008

Finally, there's a way to determine who's trustworthy, and who isn't, on the Internet

Imagine if 100 people knocked on your front door each day, but fewer than 10 of them were trustworthy. The rest were crooks, con artists and aspiring criminals. That’s the situation facing today’s Internet users. Some skeptics believe there is no stopping bot networks, phishing schemes and digital scams.

The threat landscape can be intimidating. On a typical day, the Internet hosts as many as 450,000 new individual zombies and tens of thousands of zombie networks. Each zombie network, in turn, generates the bulk of today’s Internet spam—which clogs corporate and personal e-mail systems.

In many cases, 95 percent of Internet mail is spam, according to Secure Computer Corp. researchers.

“I’ve spoken to clients where spam represents 97 percent of e-mail,” said Peter Firstbrook, research director at Gartner Inc.

A Hostile Threat Environment
This constant barrage threatens e-commerce and online communications. Some users have stopped opening unsolicited emails from sources they don’t recognize, said Russell Dean Vines, author of the best-selling book “Phishing: Cutting the Identity Theft Line.”

Other users have scaled back or halted plans to use e-commerce service. In the United Kingdom, for instance, nearly one-third of users cite security fears as the main reason for not using the Internet to manage their finances, according to a survey of 200 consumers conducted by BT Group PLC in 2005.

Organizations that continue to fight today’s threats with the same old security tools are in for a rude awakening.

“We’ve reached an inflection point with Internet security,” Vines said. “People are taking a step back and saying, ‘What can I do differently?’ ”

Evolving Security
Chief information security officers must embrace the next generation of threat detection and threat mitigation.

In the first generation of IT security, organizations relied heavily on antivirus signatures as part of a reactive security strategy. Those signatures were useful and helpful, but they didn’t help organizations combat new viruses and threats that lacked documented signatures.

Antivirus signatures are similar to criminal fingerprints. It’s difficult to identify, track and stop a thief using fingerprints if he has yet to leave any prints at a crime scene. Likewise, you can’t use digital signatures to combat a virus if the virus’ signature has yet to be documented.

Signatures are binary, and that is a problem. When a security company writes a signature for a virus threat, it has to match the virus exactly. As viruses mutate and new ones emerge, companies that write signature-based security programs face a never-ending race to stay current.

A second generation of security technology— known as heuristics—is more flexible than signature-based technology. Heuristics is based on value and checks for anomalous behavior. These products represented a solid step in the right direction, offering supplemental security—but there also were some downsides.

First, heuristics products that tracked anomalous behavior sometimes led to false positives—much in the way that profiling can lead law enforcement officials to interrogate and sometimes arrest innocent parties. The other problem involved traffic. In order to keep data moving at a reasonable rate across a network, businesses can’t afford to analyze every piece of information that flows across the network fabric.

Faced with the limitations of first- and second-generation security products, CISOs have been seeking third-generation solutions that focus on behaviorbased security.

Rethinking Protection
For some organizations, the threat landscape is overwhelming. Many vendors are answering the call for help with socalled proactive security products. Dozens of vendors claim they can keep you ahead of the threat curve with products that anticipate problems before they occur. A few now claim they have zeroday threat protection, which means they claim to safeguard networks from newly discovered exploits. These and other claims are creating noise and confusion in the security marketplace.

Still, savvy CISOs have discovered the power of what we can only now call a sub-zero threat protection system. Instead of sitting back and waiting for attackers to come knocking, CISOs are leveraging a reputation-based system—a third-generation security solution that identifies who can be trusted and who cannot.

To understand how a reputation-based system works, consider the world of financial credit scores. In the 1960s, there was no such thing as a credit score. You were either a good risk or a bad risk for the lender. There was no gray area for financial lenders to make informed decisions.

To improve the lending system, financial firms invented credit scoring systems based on a history of business transactions, personal transactions and personal payment patterns. Suddenly, loans could have variable terms and interest rates based on financial credit scores.

Apply that same example to the IT security market. Security developers have borrowed a page from financial companies, making available a threat reputation scoring system based on Internet entities.

The threat reputation system scans all IPs, domains, URLs, e-mail messages and images, and pinpoints how trustworthy they are by looking at their behavior— and their reputation—in real time. Then, the system accurately categorizes them. Instead of simply placing Internet entities into trusted and untrusted buckets, the system ranks Internet entities on a confidence scale that’s similar to the credit score model used by financial lenders. This mitigates false positives within the system.

For more than four years, the global system known as TrustedSource has been in development, and now, more than 20,000 companies worldwide are counting on the advanced security system to protect against threats before they can enter the network.

“This isn’t something you build overnight,” said Roger Miller, president of Network Aware. “It takes considerable time, money and brainpower. Plus, you need an existing global network in place that allows you to collect and analyze all of the data you’re going to need for a true threat reputation system.”

Know the Options
Here’s how to separate fact from fiction as you evaluate potential threat reputation. The reputation system has to be the first line of defense. Rather than sitting deep within the heart of your network, a threat reputation system sits on its edge and stamps out problems before they have a chance to touch the internal network.

Imagine, for instance, 100,000 emails hitting the threat reputation system. In this scenario, the application typically blocks and destroys 60,000 of the messages based purely on IP and domain reputation, calculated based on real-time behavior. And the protection doesn’t end there. The system stops an additional 15 percent or so of the messages based on image and message type. And finally, another 15 percent of messages are blocked based on in-depth heuristics.

“So, only about 10 percent of the mail directed at your network actually makes it into the networks,” said Ed Golod, president of Revenue Accelerators Inc.

Looking ahead, this edge approach is the only way to protect networks and scale internal systems. Ironically, by adding more servers and horsepower to a network without a threat reputation system in place, users only increase the capacity to receive more spam—and the threats that come with it, such as phishing and other for-profit hacker schemes.

A Unique System
When designed correctly, threat reputation systems resemble massive, global intelligent grid networks that rapidly collect and share information across the system. Admittedly, a handful of security companies collect virus- and spam-related data. But those collection systems are fairly rudimentary and are mostly used for antivirus research reports.

“It’s fine when an antivirus company starts describing a new virus threat that can exploit a software hole,” Miller said. “But that’s old school. A new school threat reputation system will need to dig much deeper.”

Think of the global system as a learning and information-sharing network. When one node within the system detects an anomaly or new threat, it passes on the information to every other node—much like a body’s immune system broadcasts the need for more white blood cells when an infection attempts to enter the system.

During a typical month, TrustedSource monitors billions of Internet transactions. Thanks to its global breadth and depth, the solution blocks up to 83 percent of mail volume and more than 90 percent of spam before anti-spam software even needs to kick in. Globally, it blocks 6.2 terabytes of spam daily.

Avoid False Positives
Some security vendors are designing systems based on overly simplistic good or bad methodologies. If the content is deemed to be from a trusted source, it’s allowed to enter the network. But if it’s deemed bad, it’s blocked. That strategy may have worked in the 1990s. But that black-and-white approach ignores the reality of today’s Internet traffic.

Simply put, there’s a broad gray area that can’t be ignored. For instance, you don’t want to block traffic from an entire Internet service provider if only one of its relays fails the reputation test.

“You want a system that delivers accurate results, and you want to avoid false positives,” Firstbrook said. “If you start blocking entire ISPs, you can wind up doing collateral damage.”

The threat reputation network has to have a rich object classification system that allows you to extensively define each threat you’re facing. For instance, the system should be granular enough to indicate that you want to block selected e-newsletters without labeling them as spam.

Find the Experts
To be sure, more big technology providers are dabbling in IT security. For those Goliaths, security is often a check mark they need to have when discussing overall product portfolios with customers.

Still, even Firstbrook concedes that big, broad technology companies will have a difficult time designing in-depth, global threat reputation systems.

“Those broad companies are doing a lot of great things, but it’s challenging for them to get really focused on something like threat reputation,” Firstbrook said.

This solution seems to be a breakthrough technology that enables organizations to minimize vulnerabilities, threats and risk often before they exist or can do damage. As a result, potential hackers, spammers, phishers and other attackers are halted in their tracks.

About the author

Daniel Ryan
Daniel Ryan is president and COO of Secure Computing Corp.