Security Products That Fend Off Network Attacks Demonstrated at Black Hat
Two new products aimed at network attack prevention were demonstrated at the recently adjourned Black Hat 2012 network security conference in Las Vegas. One product discovers likely avenues for cyber-attacks before they happen and the other attempts to isolate the network from malware.
Security software company FireMon applies network monitoring in its Security Manager 6.0, released in June and demonstrated at Black Hat. Using technology it licensed from MIT Lincoln Labs, a research laboratory at the Massachusetts Institute of Technology, FireMon Security Manager takes a "risk picture" of an enterprise network, said Jody Brazil, president and chief technology officer at FireMon, which monitors network configuration changes that can create vulnerabilities.
That picture is generated by monitoring all the firewalls, intrusion prevention systems (IPS), router and switch security tools, and other systems. In particular, FireMon watches for configuration changes that, if not done right, can create flaws in network security that cyber-criminals can exploit.
"The challenge comes in that no matter how great the technology is, it's all about how effectively it's configured," he said. "It's a bit of an effort, an operational effort, to make sure that you're diligently doing everything correctly."
FireMon integrates with existing vulnerability assessment tools from companies like NCircle, Qualys and Nexus, Brazil explained, as well as with network firewalls from vendors such as CheckPoint, Cisco Systems or Juniper. It aggregates data from all those systems and prioritizes which threats should be remediated first.
"We quite literally give you a road map of how an attacker could exploit your network. And with that information, we calculate a risk to your network," he said, adding that FireMon prioritizes which problems should be addressed first based on the value of the asset at risk, the severity of the threat and other factors.
While many vendors are playing defense against cyber-threats, another vendor, Invincea, is trying to turn the tables on the bad guys.
Invincea offers a virtual desktop in which the Web browser, documents such as PDFs and the Microsoft Office suite of productivity software are bundled into a virtual bubble that is isolated from the underlying operating system.
The virtual bubble is intended to thwart infections of a network that are delivered via spearfishing, in which a user is tricked into clicking on a link or opening an attachment in an email that releases malware into the system. The emails are carefully crafted to connect with the target, said Anup Ghosh, CEO of Invincea. Popular choices are messages purportedly coming from the user's own human resources department requesting action be taken on a choice of employee benefits or a fake message from the company CEO inviting the employee to connect with them on LinkedIn.
But when a phishing email is opened in the Invincea system, the virtual environment traps the malicious code and prevents it from attacking the underlying OS and the wider enterprise network, Ghosh said.
"Because we put that browser in a virtual environment, when that malicious code downloads, the file system and the virtual environment are separate from the desktop operating system," he said. "We simply throw out the virtual environment and bring back a brand new clean one."
The Invincea solution goes further, though, by performing forensic analysis of the malicious code that is in the virtual bubble in an effort to identify the malware code and perhaps the cyber-criminal who created it, he said, thus turning the hunter into the hunted.
"We've taken the infection agent, we've put it in a fishbowl and it's swimming around in this fishbowl not knowing that it's been virtualized, not knowing that it's in a fishbowl. It thinks it's in the ocean," Ghosh said.