Transcript of a BriefingsDirect podcast on how the strategy of dealing with malware is shifting from reaction to prevention.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.
Dana Gardner: Hello, and welcome to the next edition of the
HP Discover Podcast Series. I’m
Dana Gardner,
Principal Analyst at Interarbor Solutions, your co-host and moderator
for this ongoing discussion of IT innovation and how it’s making an
impact on people’s lives.
Once again, we’re focusing on how IT leaders are
improving the security and availability of services to deliver better
experiences and payoffs for businesses and end users alike.
We have a fascinating show today. We’re going to be exploring the ins and outs of improving enterprise
intrusion prevention systems (IPS), and we will see how
HP
and its global cyber security partners have made the HP Global Network
more resilient and safe. We’ll will hear how a vision for
security has been effectively translated into actual implementation.
To
learn more about how HP itself has created role-based and granular
access control benefits amid real-time yet intelligent intrusion
protection, please join me in welcoming our guest, Jim
O'Shea, Network Security Architect for
HP Cyber Security Strategy and Infrastructure Engagement. Welcome to the show, Jim.
Jim O’Shea: Hello, Dana. Thank you.
Gardner:
Before we get into the nitty-gritty, what do you think are some of the
major trends that are driving the need for better
intrusion prevention systems nowadays?
O’Shea:
If you look at the past, it was about detection, and you had reaction
technologies. We had firewalls that blocked and looked at the port
level. Then, we evolved to trying to detect things that were malicious
with intent by using IDS.
But that was a reactionary-type thing. It was a nice approach, but we
were reacting. Something happened, you reacted, but if you knew it was
bad, why did we let it in in the first place?
The
evolution was the IPS, the prevention. If you know it's bad, why do you
even want to see it? Why do you want to try to react to it? Just block
it. That’s the trend that we’ve been following.
Gardner:
But we can’t just have a black-and-white situation. It’s much more
gray. There are sorts of intrusion, I suppose, that we want. We want
access control, rather than just a
firewall.
So is there a new thinking, a new vision, that’s been developed over
the past several years about these networks and what should or shouldn't
be allowed through them?
O’Shea: You’re talking
about letting the
good in. Those are the evolutions and the trends that
we are all trying to strive for. Get the good traffic in. Get
who you
are in. Maybe look at what you have. You can explore the health of your
device. Those are all trends that we’re all striving for now.
Gardner: I recall Jim, that there was a
Ponemon Institute report about a year or so ago that really outlined some of the issues
here. Do you recall that? Were there any issues in there that illustrate
this trend toward a different type of network and a different approach
to protection?
Number of attacks
O’Shea: The Ponemon
study was illustrating the vast number of attacks and the trend toward the costs for intrusion. It was
highlighting those type of trends, all of which we’re trying to head
off. Those type of reports are guiding factors in taking a
more proactive, automated-type response.
[Learn more about intrusion prevention systems.]
Gardner: I suppose what’s also different nowadays is that we’re not only
concerned with outside issues in terms of risk,
but also insider attacks.
It’s being able to detect behaviors and things that occur that data can
detect. The analysis can then provide perhaps a heads-up across the
network, regardless of whether they have access or not. What are the
risk issues now when we think about insider attacks, rather than just
outside penetration?
O’Shea: You’re exactly
right. Are you hiring the right people? That’s a big issue. Are they
being influenced? Those are all huge issues.
Big data
can handle some of that and pull that in. Our approach on intrusion
prevention wasn’t to just look at what’s coming from the outside, but it
was also look at data traversing the network.
You have a whole rogue wireless-type approach in which people can gain access and can they probe and poke around.
When we deployed the
TippingPoint solution,
we didn’t change our policies or profiles that we were deploying based
on whether it’s starting on the inside or starting on the outside.
It was an equal deployment.
An insider attack could
also be somebody who walks into a facility, gains physical access, and
connects to your network. You have a whole rogue wireless-type approach
in which people can gain access and can they probe and poke around. And
if it’s
malware traffic from our perspective, with the IDS we took the
approach, inside or outside -- doesn’t matter. If we can detect it, if we
can be in the path, it’s a block.
Gardner: For
those of our listeners who might not be familiar with the term
“intrusion prevention systems,” maybe you could illustrate and flesh
that out a bit. What do we mean by IPS? What are we talking about? Are these
technologies? Are these processes, methodologies, or all of the above?
O’Shea: TippingPoint technology is an
appliance-based
technology. It’s an inline device. We deploy it inline. It sits in the
network, and the traffic is flowing through it. It’s looking for
characteristics or reputation on the type of traffic, and reputation is a
more real-time change in the system. This network, IP address, or URL
is known for malware,
etc. That’s a
dynamic update, but the static updates are
signature-type, and the detection of vulnerability or a specific exploit
aimed at an operating system.
So intrusion prevention
is through the detection of that, and blocking and preventing that from
completing its communication to the end node.
Gardner:
And these work in conjunction with other approaches, such as security
information, event management, and network-based anomaly detection. Is
that correct? How do they work together?
Bigger picture
O’Shea: All the events get logged into
HP ArcSight
to create the bigger picture. Are you seeing these type of events
occurring other places? So you have the bigger picture correlation.
Network-based
anomaly detection is the ability to detect something that is occurring
in the network and it's based on an IP address or it’s based on a flow.
Taking advantage of reputation we can insert those IP addresses,
detected based on flow, that are doing something anomalous.
It could be that they’re beaconing out, spreading a
worm.
If they look like they’re causing concerns with a high degree of
accuracy, then we can put that into the reputation and take advantage of
moving blocks.
So reputation is a self-deploying
feature. You insert an IP address into it and it can self-update. We
haven’t taken the automated step yet, although that’s in the plan.
Today, it’s a manual process for us, but ideally, through
application programming interfaces (APIs), we can automate all that. It works in a lab, but we haven’t deployed it on our production that way.
Gardner:
Clearly HP is a good example of a large enterprise,
one of the largest in the world, with global presence, with a lot of technology, a lot of
intellectual property, and therefore a lot to protect. Let’s look at how you
actually approached protecting the HP network.
We wanted to prevent mal traffic, mal-formed traffic, malware -- any traffic with the mal intent of reaching the data center.
What’s
the vision, if you will, for HP's Global Cyber Security, when it comes
to these newer approaches? Do you have an overarching vision that then
you can implement? How do we begin to think about chunking out the
problem in order to then solve it effectively?
O’Shea:
You want to be able to detect, block, and prevent as an overarching
strategy. We also wanted to take advantage of inserting a giant filter
inline on all data that’s going into
the data center. We wanted to prevent mal traffic, mal-formed traffic, malware -- any traffic with the "mal" intent of reaching the data center.
So
why make that an application decision to block and rely on host-level
defenses, when we have the opportunity to do it at the network? So it
made the network more hygienically clean, blocking traffic that you
don’t want to see.
We wrapped it around the data center, so all traffic going into our data centers goes through that type of filter.
[Learn more about intrusion prevention systems.]
Gardner:
You’ve mentioned a few HP products: TippingPoint and ArcSight, for
example, but this is a larger ecosystem approach and play. Tell us a
little bit about partnerships, other technologies, and even the
partnerships for implementation, not just the technology, but the
process and methodologies as well.
Key to deployment
O’Shea:
That was key to our deployment, because it is an inline technology and
you are going inline in the network. You’re changing flows, where it
could be mal traffic, but yet maybe a researcher is trying to do
something. So we need to have the ability to have that level of
partnership with the network team. They have to see it. They have to
understand what it is. It has to be manageable.
When we
deployed it, we looked at what could go wrong and we designed around
that. What could go wrong? A device failed. So we have an
N+1
type installation. If a single device fails, we’re not down, we are not
blocking traffic. We have the ability to handle the capacity of our
network, which grows, and we are growing, and so it has to be built for
the now and the future. It has to be manageable.
It
has to be able to be understood by “first responders,” the people that
get called first. Everybody blames the network first, and then it's the
application afterward. So the network team gets pulled in on many
calls, at all types of hours, and they have to be able to get that view.
That
was key to get them broad-based training, so that the technology was
there. Get a process integrated into how you’re going to handle updates
and how you’re going to add beyond what TippingPoint recommended.
TippingPoint makes a recommendation on profiles and new settings. If we
take that, do we want to add other things? So we have to have a global
cyber-security view and a global cyber-security input and have that all
vetted.
The application team had to be onboard and
aware, so that everybody understands. Finally, because we were going
into a very large installed network that was handling a lot of different
types of traffic, we brought in TippingPoint Professional Services and
had everything looked at, re-looked at, and signed off on, so that what
we’re doing is a best practice. We looked at it from multiple angles and
took a lot of things into consideration.
We proxy the events. That gives us the ability to have multiple ArcSight instances and also to evolve.
Gardner:
Now, we have different groups of people that need to work in concert to
a larger degree than in the past. We have application folks, network
folks, outside service providers, and network providers. It seems that
we are asking for a complete view of security, which means people need
to be coordinated and cooperative in ways that they hadn’t had to be
before.
Is there something about
TippingPoint and
ArcSight that provides data, views, and analytics in such a way that
it's easier for these groups to work together in ways that they hadn’t
before? We know that they have to work together, but is there something
about the technology that helps them work together, or gives them common
views or inputs that grease the skids to collaboration?
O’Shea:
One of the nice things about the way the TippingPoint events occur is
that you have a choice. You can send them from an individual IDS units
themselves or you can proxy them from the management console. Again, the
ability to manage was critical to us, so we chose to do it from the
console.
We proxy the events. That gives us the
ability to have multiple ArcSight instances and also to evolve. ArcSight
evolves. When they’re changing, evolving, and growing, and they want to
bring up a new collector, we’re able to send very rapidly to the new
collector.
ArcSight pulls in firewall logs. You can
get proxy events and events from antivirus. You can pull in that whole
view and get a bigger picture at the ArcSight console. The TippingPoint
view is of what’s happening from the inline TippingPoint and what's
traversing it. Then, the ArcSight view adds a lot of depth to that.
Very flexible
So
it gives a very broad picture, but from the
TippingPoint view, we’re
very flexible and able to add and stay in step with ArcSight growth
quickly. It's kind of a concert. That includes sending events on
different ports. You’re not restricted to one port. If you want to
create a secure port or a unique port for your events to go on to
ArcSight, you have that ability.
Gardner: We’ve
heard, of course, how important real-time reaction is, and even gaining
insights to be able to anticipate and be proactive. What is it that you
learned through this process that allowed you to make that latency
reduced or eliminated so that the amount of time that things go on is
cut. I’ve heard that a lot of times you can't prevent intrusion, but you
can prevent the damage of intrusion. So how does it work in terms of
this low latency time element?
O’Shea: With
TippingPoint, you get to see when an exploit is triggered, TippingPoint
has a concept of
Zero Days and it has a concept of
Reputation.
Reputation is an ongoing change, and Zero Day is a deployment of a
profile. Think of Reputation as a constant updating of signatures as
sites change and how the industry is recognizing them. So that gives you
an ability to have a view of a site that people frequented and may now
be compromised. You have that ability to see that because the Reputation
of the site changed.
With TippingPoint being a block
technology, you have the low latency. The latency is being detected and
blocked, but now, when you pull it back into ArcSight, you have the
ability to see a holistic view. We’re seeing these events or something
that looks similar. The network-based anomaly detection is reporting
some strange things happening, or you have some antivirus things that
are reporting.
That’s a different type of reaction.
You can react and deploy and say that you want to take action against
whatever it is you are seeing. Maybe you need to put up a new firewall
block to alleviate something.
That’s a different type of reaction. You can react and deploy and say
that you want to take action against whatever it is you are seeing.
Or
on the other hand, if TippingPoint is not seeing it, maybe you have the
opportunity to activate this new signature more rapidly and deploy new
profile. This is something new, and you can take action right away.
Gardner:
Jim, let's talk a bit about what you get when you do this correctly. So
using HP’s example, what were some of the paybacks, both in technical
terms, maybe metrics of success technically, but then also business
results? What happens when you can deploy these systems, develop those
partnerships, and get cooperation? How can we measure what we have done
here?
O’Shea: One of the things that we did
wrong in our deployment is that we didn’t have a baseline of what is mal
or what is bad. So, as it was a moving deployment, we don’t have hard
and fast metrics of a before and after view. But again, you don’t know
what's bad until you start trying to detect it. It might not have been
for us to even take that type of view.
We deployed TippingPoint. After the deployment we’ve had some
DoS attacks
against us, and they have been blocked and deflected. We’ve had some
other events that we have been able to block and defend rapidly.
[Learn more about intrusion prevention systems.]
If you think back historically of how we dealt with them, those were kind of a
Whac-A-Mole-type
of defenses. Something happened, and you reacted. So I guess the metric
would be that we’re not as reactionary, but do we have hard metrics to
prove that? I don’t have those.
How much volume?
Gardner:
We can appreciate the scale of what the systems are capable of. Do we
have a number of events detected or that sort of thing, blocks per
month, any sense of how much volume we can handle?
O’Shea:
We took a month’s sample. I’m trying to recall the exact number, but it
was 100 million events in one month that were detected as mal events.
That’s including Internet-facing events. That’s why the volume is high,
but it was 100 million events that were automatically blocked and that
were flagged as mal events.
The Professional Services teams have been able to deploy in a very large
network and have worked with the requirements that a large enterprise
has.
Gardner: How do you now take this out to the market? Is there a
cyber-security
platform? Do you have a services component? You’ve done this
internally, but how do you take this out to the market, combining the
products, the services, and the methodologies?
O’Shea:
I’m not on the product marketing side, but TippingPoint has learned
from us and we’ve partnered with them. We’re constantly sharing back
with them. So the give-back to
TippingPoint, as a product division, is
that they can see real traffic, in a real high-volume network, and they
can pretest their signatures.
There are active
lighthouse-type installs, lighthouse meaning that they’re not actively
blocking. They’re just observing, and they are testing their next
iteration of software and the next group of profiles. They’re able to do
that for themselves, and it's a give back that has worked. What we
receive is a better product, and what everybody else receives is a
better product.
The Professional Services teams have
been able to deploy in a very large network and have worked with the
requirements that a large enterprise has. That includes standard
deployment, how things are connected and what the drawings are going to
look like, as well as how are you going to cable it up.
A
large enterprise has different standards than a small business would
have, and that was a give back to the Professional Services to be able
to deploy it in a large enterprise. It has been a good relationship, and
there is always opportunity for improvement, but it certainly has
helped.
Current trends
Gardner:
Jim, looking to the future a little bit, we know that there’s going to
be more and more cloud and hybrid-cloud types of activities. We’re
certainly seeing already a huge uptick in mobile device and tablet use
on corporate networks. This is also part of the
bring-your-own-device (BYOD) trend that we’re seeing.
So
should we expect a higher degree of risk and more variables and
complication, and what does that portend for the use of these types of
technologies going forward? How much gain do you get by getting on the
IDS bandwagon sooner rather than later?
O’Shea:
BYOD is a new twist on things and it means something different to
everybody, because it's an acronym term, but let's take the view of you
bringing in a product you buy.
BYOD is a new twist on things and it means something different to everybody, because it's an acronym term.
Somebody is always going to get a new device, they are
going to bring in it, they are going to try it out, and they are going
to connect it to the corporate network, if they can. And because they
are coming from a different environment and they’re not necessarily to
corporate standards, they may bring unwanted guests into the network, in
terms of malware.
Now, we have the opportunity,
because we are inline, to detect and block that right away. Because we
are an integrated ecosystem, they will show up as anomalous events.
ArcSight and our Cyber Defense Center will be able to see those events.
So you get a bigger picture.
Those events can be then
translated into removing that node from the network. We have that
opportunity to do that. BYOD not only brings your own device, but it
also brings things you don’t know that are going to happen, and the only
way to block that is prevention and anomalous type detection, and then
try to bring it altogether in a bigger picture.
Gardner:
Well, great. I’m afraid we will have to leave it there. We’ve been
learning about the modern ins and outs of improving enterprise intrusion
prevention systems, and we’ve heard about how HP itself has created
more of a granular access control benefit amid real-time, yet
intelligent, intrusion detection and protection.
I’d like to thank
the supporter for this series, HP Software, and remind our audience to
carry on the dialogue through the
Discover Group on LinkedIn. And of
course, a big thank you to our guest, Jim O'Shea, Network Security
Architect for
HP Cyber Security Strategy and Infrastructure Engagement. Thanks so much, Jim.
O’Shea: Thank you.
Gardner:
And lastly, our appreciation goes out to our global audience for
joining us once again for this HP Discover Podcast discussion.
I’m
Dana Gardner, Principal Analyst at Interarbor Solutions, your host for
this ongoing series of HP-sponsored business success stories. Thanks
again for listening, and come back next time.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.
Learn more about prevention detection.
Transcript
of a BriefingsDirect podcast on how the strategy of dealing with
malware is shifting from reaction to prevention. Copyright Interarbor
Solutions, LLC, 2005-2014. All rights reserved.
You may also be interested in: