Computer, heal thyself
While quantum physicists work through the practical challenges necessary to make quantum encryption more than a research novelty, other researchers are focusing their efforts on improving the intelligence of security systems. In particular, there is considerable movement towards helping customers build intelligent, self-monitoring, and self-managing IT systems.
Researchers have expended considerable effort devising ways to model the human immune system in the design of tomorrow’s computers. Just as a body’s immune response depends on its ability to quickly recognise and defeat intruding pathogens, computers need to be able to recognise changes in a system’s behaviour and proactively move to remedy the situation. Methods for doing this, however, are not intuitive: computers lack the inherent self awareness necessary to continually monitor themselves and perform their normal tasks at the same time.
Work in artificial immunology, however, promises to change this, particularly with respect to intrusion detection systems. Such systems have typically relied on matching observed behaviour with well understood patterns that indicate malicious activity. But hackers who are familiar with IDS techniques have proven extremely persistent at working around the systems; to foil them, developers want to give the systems the ability to identify potentially dangerous network activities by observing them and judging their nature.
IBM offered a glimpse of this technique with the recent release of the latest version of its DB2 database. DB2, which once sat passively by waiting for applications to request that it store or retrieve information, has now been designed to continually monitor—and optimise—its own performance.
If DB2 detects that a configuration error is slowing down performance, it can automatically tweak the setting or notify its human administrators of the problem. If it senses that a different data structure could improve its ability to return meaningful results, it can restructure the data on the fly.
Extrapolating this approach to the security field requires a similar sense of self-awareness on the part of the application—although in this paradigm, that self-awareness must stretch far across the enterprise to meaningfully integrate all manner of point security products. Just how to make that happen has been a point of much deliberation on the part of security vendors keen to turn the digital immune system into reality.
Making sense of it all
In the shorter term, technologists are facing the far more pressing challenge of managing the data already being produced by the various components of the security system. Dr Tim Cranny, senior consulting engineer with managed security provider 90East, believes implementation of such monitoring systems will be the next major step in the consolidation of enterprise IT security systems. “We don’t need more data,” he says. “We just need the intelligence to analyse it better. At the end of the day, it often comes down to having a human being in the loop. But that’s expensive and imperfect, and responds at a human time scale. That’s the problem everyone is facing: we need expert systems, neural networks, and genetic algorithm type systems that can fill the same role as a medium-level trained human being.”
One early entrant into this race is Sydney startup Tier-3, whose flagship Huntsman product is built around an artificial intelligence engine for picking out correlations between data streams emanating from all manner of security products. By cross-tabulating log entries showing suspicious events, Huntsman is proving remarkably adept at weeding out the flood of false positives that often obscure visibility of real attacks against a company.
“We see companies with access to technology, and expertise to use it, get hacked every day of the week even though they have all this technology and have the right people to do it,” says Tier-3 products director Mike Collins, one of a small group of security consultants who founded Tier-3 several years ago in an effort to facilitate more proactive security.
“Any hacker that’s any good has probably covered his tracks, so 95 percent of the time all we could do was recommend things our clients could do to prevent it happening again in the future. We see the problem as an issue of managing the infrastructure and putting context around the security information you collect. We’ve seen hundreds of thousands of alerts per day, and [Huntsman] has tuned that down to hundreds per day.”
That’s far more manageable for security staff to sift through. And just as a security guard must watch monitors covering all different areas of a building, so too must those charged with information security find a way to observe goings-on across the entire infrastructure. Given that solutions like Huntsman support a broad range of third-party logging formats from various security platforms, applying artificial intelligence and pattern recognition technology to their output will finally consolidate the security mechanisms companies have installed.
Community interest
The need to add expert analysis and self-healing capabilities may ultimately drive many companies to involve external firms offering managed security services. Customer timidity has so far limited these companies to relatively small roles such as responding to firewall and intrusion detection system alerts.
However, growing recognition of the need for companies to up their security game should drive increasing reliance on outside parties. IDC, for one, has projected the market for managed security services will grow from US$720 million in 2000 to US$2.2 billion by 2005—a healthy 25 percent compound annual growth rate. In the future, security will clearly be a group effort—particularly amongst smaller companies that don’t have the resources to hire and keep security-savvy employees.
Hardware providers will also play a more active role in enterprise security. By building firewall capabilities into high-capacity network switches, infrastructure equipment vendors will allow telecommunications companies to make security services an integral part of their service offerings. Nortel Networks, for one, recently launched a firewall-based, VPN-capable appliance capable of managing 3.2Gbps of aggregate throughput and 500,000 concurrent connections per second.
“We’re looking to make sure security does not mean a huge performance trade-off,” says Atul Bhatnagar, Intelligent Edge vice president and general manager with Nortel Networks. “In the next two to three years, these appliances will come back into the switching fabric in a more meaningful manner.”
Hardware will also play a critical part in Microsoft’s Palladium initiative, the company’s much-discussed but so far little-detailed strategy for building a network of trusted systems online. Palladium is clearly designed to facilitate Microsoft’s push towards Web services, since ensuring the identity of online systems is key to building a trusted Web services infrastructure.
But Palladium could well end up dead in the water: it depends on PC users to turn on a system that currently offers them no real benefit, but would force a major re-engineering of application infrastructures and security methods. Given the almost universal uproar that came when Intel dared to put just a serial number in its processors, there is likely to be even stronger opposition to Palladium. And without a compelling business case, it’s likely that the corporate community may be equally sceptical.
Short-term solutions
Practical or not, even Microsoft concedes that initiatives like Palladium are years away. Completely new methods such as quantum cryptography will take equally long to become practical. For now, companies will continue to couch their security initiatives in terms of existing technology.
But is that enough? As malicious hackers have demonstrated time and again, the patience of an attacker cannot be under-estimated. The steady stream of Web site exploits, server vulnerabilities, and buffer overflow problems has failed to slow despite widespread awareness of security problems and a culture that’s become far more accepting of hackers’ sharing their findings with the general public. Meanwhile, most companies are still struggling to make effective use of the security technologies they’ve already bought.
True security requires continual revisiting, both of technological protections and of corporate policies that must be created to match. It also, like it or not, will require continual funding and a commitment to the firefighting that has become a way of life for anyone involved in security. This will be the primary way of minimising the threat from software vulnerabilities until radical change can be effected. And that change doesn’t come easily.
“It’s become clear in the past year that what we need isn’t going to be built out of the things we’ve had,” says Calum Russell, solutions marketing manager for IT infrastructure with Microsoft Australia. “You cannot say that security is just about patching software, and making passwords ever more complex is not the quantum leap that we need. But we’re not going to see it out for a while. It’s an evolution, and it’s going to take some time.”
