Technology is having a profound influence in ways that seemed almost impossible just 25 years ago. Today, businesses are leveraging the power of the Internet to penetrate new markets and reach new customers. Technology is improving the delivery of healthcare, as doctors use PDAs to view a patients vital signs, lab reports, or even prescribe medication. The digital, network-enabled home is also changing the image of “home sweet home,” making it an extension of the wired world with central, Web-enabled command centers controlling many home functions.
However, while technology continues to create new opportunities for businesses and individuals, it has also created risk. Individuals and organizations are fending off an ever-increasing variety of Internet threats on a daily basis. In fact, more than 100 new viruses and nearly 60 new software vulnerabilities are discovered weekly. Symantecs most recent Internet Security Threat Report, the industrys most timely and comprehensive review of cyber security activity, documented a 19 percent increase in attack activity during the first half of 2003; thats almost one attack per day more for the average user. Also on the rise are blended threats – which combine hacking, denial of service, and worm-like propagation.
Todays threats are more sophisticated, more aggressive, and spread faster than ever before. Last summer, companies and individuals had to deal with four high-impact threats in the span of eight days. Attackers are also turning up the heat, as the time from discovery of a vulnerability to its exploit is rapidly shrinking. For example, the Slammer worm of January 2003 attacked a vulnerability that was discovered six months earlier; but the more recent Blaster worm exploited a vulnerability that was found just 26 days earlier.
At this critical juncture, it is essential that businesses and individuals collectively take action to protect cyber space. If not, the promise of a truly wired, connected world may never be realized.
Protecting cyber space calls for a holistic security strategy that includes four critical elements. First, an alert system must provide early warning against new and emerging threats. Second, the right technologies must be implemented across all tiers to protect critical application data and devices. Third, a plan must be set in place to respond when the inevitable attack occurs. And fourth, a comprehensive system must be established to manage the ongoing process of securing the infrastructure.
The best way to protect a network against any threat is to know about the threat and the vulnerability it exploits before an attack is launched. A cyber alert system should provide an early warning against emerging attacks. It should also provide actionable information on how to protect the environment against the impending attack. Moreover, this information must be customized so it is relevant to the environment and prioritized so it can be acted upon immediately.
Once an early warning system is in place, organizations then must make sure to protect their key assets. Organizations have traditionally addressed protection by implementing a number of point products that all work independently. However, with this approach, each product must be installed and updated individually as well, creating an unmanageable nightmare.
Although no single technology can adequately protect against todays complex threats, an integrated approach to security can help eliminate the challenges of point products and deliver a more comprehensive solution. Such an approach focuses less on the individual protection technologies and more on the tiers of the systems architecture. This means the focus shifts to the gateway, application server, and client levels versus picking a firewall or an intrusion sensor. Doing so creates a “defense-in-depth” solution that allows us to manage the total environment, not the individual security applications.
Because of the dynamic nature of todays threats, organizations must be prepared to respond when an attack penetrates their defenses. An effective response plan starts with intelligence about the attack as well as countermeasures to address it and details on how to clean up any damage. Also essential is 24×7 support on mission-critical security products, which includes automatic updates to firewall rules, virus definitions, and intrusion signatures.
With all of the intelligence being generated by security solutions throughout an organization, businesses must have a way to effectively manage their security infrastructure. This means quickly correlating information, simplifying it, and prioritizing any necessary action. Management can become particularly challenging in environments hosting disparate products from multiple vendors, where each device generates its own overflow of data. In the average-sized company, millions of log entries and alerts are produced each month by firewalls and intrusion detection sensors installed across the enterprise. Yet, very few of these represent security threats requiring analysis, and fewer yet pose a risk critical enough to demand immediate action.
The strength of this four-point security methodology is its holistic approach to covering all important security criteria. It surpasses narrow viewpoints centered on one particular aspect of protection such as firewalls or perimeter defense and focuses instead on the core competencies required to block todays increasingly sophisticated threats.
Emerging Threats and Solutions
As the threat landscape continues to evolve, more sophisticated threats will move at even faster speeds. For example, “Warhol threats” will likely emerge with the ability to spread across the Internet and infect all vulnerable servers in less than 15 minutes. Beyond that, “flash threats” are predicted to spread across the Internet in less than 30 seconds.
The time between the discovery of a vulnerability and the release of an exploit will also continue to shrink, introducing “day-zero threats.” This type of threat exploits a previously unknown and therefore unprotected vulnerability, increasing the likelihood that a vulnerability and its exploit will appear on the same day.
These threats are fundamentally unstoppable by some of todays reactive security solutions. Future technology investments should focus on proactive security solutions that can detect and block new attacks on the fly at the host, network, and application layers. Emerging technologies such as host-based intrusion prevention, generic exploit blocking, and protocol anomaly protection promise more proactive protection against these new threats.
Host-based intrusion prevention, or behavior blocking, monitors programs on a server observing how they work and interact with the rest of the computer; when a program attempts malicious behaviors, it is stopped before it can cause damage.
Generic exploit blocking enables organizations to roll out fingerprints to secure critical vulnerabilities the moment they are announced. Once that fingerprint is deployed, the generic exploit blocking system prevents likely future attacks against the vulnerability, obviating the need for a rush to patch during the critical attack window.
Protocol anomaly protection running at the network layer and on the host can help stop day-zero threats. Just as sunglasses allow the good light in and keep harmful UV rays out, this technology allows legitimate network traffic through while blocking traffic that does not meet the criteria of the organizations security policies.
Be sure to add our eWEEK.com enterprise applications news feed to your RSS newsreader or My Yahoo page:
Another new frontier for security solutions is the application level. Databases hold the most critical information in an organization — credit card numbers, financial information, and health records – and a single compromise can devastate a business. Moving forward, it will be critical to deploy security solutions tailored to specific, high-value business applications. By integrating directly with each business application security solutions can achieve the level of visibility and control required to effectively protect these systems.
Protecting the Future
To realize the full potential of a securely connected world we must create an attitude, or culture, of security. First, the industry must build security into the application design from the beginning. That means writing bulletproof code and shipping products secure out of the box. Next, we need to realize that there is no fundamental difference between the wired and the wireless world. With that in mind, wireless security policies should integrate into existing IT policies… not developed separately.
Beyond that we need to raise awareness of security. Enterprises need to understand that they should secure multiple layers with multiple technologies and small businesses and consumers should understand the simple steps they can take to secure their PCs and networked devices. Once were successful in establishing this culture of security businesses and individuals will trust that technologies are secure and will be quicker to embrace new technologies. Then the future will be full of endless possibilities.
John W. Thompson is Chairman and CEO of Symantec Corp. If you would like to contact Symantec regarding this article, please send email to Melissa Martin, public relations manager, at [email protected]
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: