Firewalls and anti-virus applications used to suffice.
When intrusions gained momentum, security staff worked late coding patches and hot fixes. But now that "zero-day exploit" is the name of the game, security experts struggle to devise ways to defuse malware and other nefarious intent before catastrophe strikes.
An early warning solution would be an asset, especially to a global enterprise with thousands of network devices serving millions of customers. Fortunately, such "security alarms" are now available. Our experts recommended the leading brands, along with strategies on how they can be deployed most effectively.
"Initially an intrusion-detection appliance, StealthWatch is designed to identify zero-day, unknown, and undocumented attacks by alerting network teams about 'not normal' network traffic," according to Chris Hovis, VP of marketing and business development at Lancope.
StealthWatch is a standard, rack-mount PC running a hardened Linux operating system that passively watches traffic on the network and rates the suspiciousness of new traffic by comparing it to recognised traffic. It can tell what is normal by gathering baseline statistics, then uses complex algorithms and network heuristics to rate suspicious events according to a concern index that shows how unusual or serious the event might be.
Hovis gave an example: "Say you have a Web server that you do not use for FTP, and one day that server starts to service FTP requests. StealthWatch will send an alarm to the administrator with a notice of an important change. In this example, the administrator may find that a hacker has compromised the server and is using it to distribute pirated software or music."
StealthWatch categorises network traffic into "flows" to profile activity and detect nefarious behaviour. It quickly identifies known or unknown attacks, internal misuse, or misconfigured network devices, regardless of packet encryption or fragmentation.
Along with flow-based network anomaly detection, StealthWatch offers zone-based security policies. Network administrators can configure groups of hosts, adapting them to the logical or hierarchical security structures and methodologies of the organisation.
Close the gap between prediction and mitigation
According to Stan Quintana, VP of managed security services at AT&T, "the premise behind any product/tool that offers analysis and protection is (a) how good and predictive the intelligence being gathered is, and (b) the velocity in which that information can be turned into a mitigation solution."
AT&T Internet Protect Service boasts true predictive information on worms, viruses, D/DoS, and other types of attacks that develop in the network. AT&T notifies its clients within minutes of detecting malicious activity and cyberattacks, and recommends necessary actions to mitigate the event before damage sets in.
"The advantage of having predictive information lies in the ability to quickly turn this information into security rules that can mitigate the security event on a real-time basis," said Quintana.
More important, Quintana said, customers should also have systemic policy management practices in place so that the security infrastructure is current with the changing face of the risk environment. "In addition, having overall management and monitoring, and incident management capabilities, are critical to ensure that the security landscape is addressed on a holistic end-to-end basis," he advised.
Don't forget the employee desktop
"As the effectiveness of network and perimeter security diminishes, hackers have begun to utilise the employee, which can be the weakest link in an organisation's security infrastructure," according to Dan Hubbard, director of product and systems analysis at Websense. Therefore, any complete security strategy for organisations should include protection at the employee desktop level, he said.
1%
2%
