by RSS Nils von Greyerz  |  May 14, 2014  |  Filed in: Industry Trends

When companies grow, their networks grow with them. What naturally follows is a growth in administration. As a Systems Engineer in the Nordics I meet a lot of quickly growing companies and they have a lot in common when it comes to facing the challenges of their rapid growth. Typically they will have very flat network structures and simple security solutions all managed by a single person or a very small team. These small teams are made up of generalists that need to cover everything including virtual environments, storage, networks, firewalls and general security. Sooner or later, these IT teams will enter a critical phase between small and mid-size.

At this critical phase there are a lot of projects going on and the staff is under a lot of stress. This is a critical time especially for security and there are a lot of things to be done. Unfortunately, security is often put on hold for tasks such as redesign of the network or implementation of newly acquired business support systems (cloud based or not). I'll get back to that in my next blog post.

When push comes to shove there needs to be a security solution on the table. Let's disregard the whole company security policy discussion for a moment (it would be a very, very big blog post) and look at threat prevention in terms of advanced threat detection (ATD).

The ATD Solution

Generally an ATD/Sandboxing solution does not replace proper threat prevention technologies - traditional antivirus, web filter, and IPS. But it is a good compliment and here is why:

    Most malwares today are distributed broadly and are often a part of building a botnet. So a client downloads a file playing host to malware, file dropper, or the like.
      The first thing a UTM firewall will do is to check its policies to see if the client is allowed to access the server at all.
  If this is ok the web filter will be checked to see if access to this site is allowed, let us assume that the malwares URL is tagged as a malicious site and we block that category. Problem solved, a log entry is made about the incident and that is it. This could be presented in a report or flagged for further investigation.
  But what if it is not flagged as a malicious site? Then the file is downloaded to the firewall (a proxy mode, transparent to the user) for the next check. The IPS Engine. At Fortinet, we have developed a highly effective and efficient intrusion prevention engine that performs more sophisticated inspection than simple traffic pattern matching. In many cases, the traffic activity designed to slip malicious code past other filters allows us to block its delivery. Finally, the antivirus engine inspects objects that have passed the previous filters using our unique Compact Pattern Recognition Language (CPRL) to identify families of malware. Some heuristic tests and emulation are also run. Anything that manages to get through goes into the sandbox.
      For most organizations without special security concerns it is valid to assume that the file will be delivered to the client regardless of testing positive or negative for malware behavior in the sandbox. This is due to the processing time in a sandbox environment which can take as long as 3 minutes; it would be fairly intrusive to the end user to hold the file during the sandboxing process. Meanwhile the sandbox is trying to determine what the file is doing by executing it on different OS releases, most common is Windows XP SP3 and Windows 7 64-bit.
      What the sandbox is looking for is behaviors such as, but not limited to: If the file is downloading malwares and executing them, injecting code into other processes, creating files in the user's home directories or placing auto start capabilities on the file for the next reboot.By scoring the files behavior, the sandbox can report to the IT staff the likeliness of the file being malicious, some are straight forward to analyze and other more complex.

These can be, looking at the environment such as lack of applications for targeted OS, extended sleep calls, mouse and keyboard input, forcing the user to make an active choice by asking for some confirmation with a pop up. Sandboxing will always be a cat and mouse game against malware developers.

The malware gets detected and scores high, a notification is sent to the IT staff and now the work begins. Was the file sent to a machine that can execute it or not? Was it shared? Was it executed? Was the virus detected by the local antivirus client?

More often than not the simplest action is to reinstall the machine and just get on with every day IT work. But it is important for even small organizations to have a defined, if straightforward, response process. That's all good but an ATD solution can put enormous pressure on the IT staff and forcing them to handle reinstallation of machines, restoring backups and such.

Even worse, it can distract the staff from more serious problems and intrusion attempts. If you get a lot of hits in your sandbox and you are a company that are not regularly facing external threats you will be doing a lot of reinstallations and damage control.

It is also likely that the antivirus and web filter could be improved. Which is why the relationship between advanced threat detection and traditional threat prevention is so important.

Bottom line:

With a proper base line defense of firewalling, Web filtering, network based antivirus and client antivirus the company IT staff will be able to cope.

In this case an Advanced Threat Detection solution adds a great extra layer of security. If basic security functions are lacking, the sandbox will get a lot of hits and send the IT staff to less qualified tasks than needed and distracts from real threats.

In the SMB segment, that is a big problem.

by RSS Nils von Greyerz  |  May 14, 2014  |  Filed in: Industry Trends