Anthony O’Mara is the Vice-President of Trend Micro for Europe Middle East Africa (EMEA). Mr O’Mara joined Trend Micro as European finance director and was quickly promoted to the role of Finance and Operations Director for EMEA and then to his current role. Prior to Trend Micro Mr O’Mara worked at Axent technology, prior to its acquisition by Symantec Corp., and at Sun Microsystems. Mr O’Mara began his career at DHL Africa. Anthony O’Mara is a graduate of Ennis College.
Security threats - and the organised criminals perpetrating them - have changed dramatically over the past few years, but the security industry’s response has hardly changed. In addition to traditional worms, viruses and Trojans, we now have to contend with spam, spyware intelligent ‘botnets’, denial of service attacks and, now, Web-based multi-stage and multi-variant threats distributed over many hosts. A new approach to enterprise security is needed and moving protection into the ‘cloud’ - onto the Internet - holds the key.
The nature of security threats - and the organised criminals perpetrating them - has changed dramatically over the past few years, but the security industry’s response has hardly altered to meet the new threats. If the industry continues with traditional end-point security, it will soon be fighting a losing battle against the rising tide of increasingly sophisticated threats. Clearly, a new approach to enterprise security is needed and moving protection into the ‘cloud’ - onto the Internet - holds the key, making the most of centralised computer power and increasing the efficiency and immediacy of response for the user. Trawling through the past decade of security threats, one sees a rapidly changing landscape. Ten years ago, security threats were static in approach, perpetrated for the most part by hobbyists and were dealt with by relatively simplistic responses, which essentially consisted of collecting samples of malware, developing patterns and then circulating them to endpoints - to the end user’s computer - to recognise. Before 2001, threats including viruses, worms and Trojans came to prominence in mass outbreaks like Melissa, CodeRed, Snapper and Spammer. Hitting the headlines with significant global footprints, they were consequently relatively easy to recognise with pattern-based security products. Between 2001 and 2003, there was a huge rise in spam mass mailers, then spyware, and subsequently anti-spyware products were absorbed into mainstream security suites. In 2005, these threats were joined by intelligent ‘botnets’, created by infecting endpoints with malware, which would themselves send spam or host malicious software or denial of service attacks. Again, scanning endpoints potentially infected with malware was enough to isolate the problems and quarantine them. By the middle of 2007, however, a new type of ‘Web threat’ emerged - Web-based malware attacks that were different in a number of significant respects. Coming right up to date, the game has now changed - and the traditional means of defence no longer hold strong in face of the new foe. New threats Firstly, Web threats are multi-stage and multi-variant, which means that while they might appear to be an innocuous email, they contain a link that when clicked would activate a downloader which would in turn go to the Internet to test for vulnerabilities and retrieve some other malware - a spambot, denial of service bot or other rogue virus software. Multi-variant Web threats are difficult to detect by traditional heuristic pattern scanning because they start out looking like one thing, but then use the Internet to update themselves, changing form over time. Secondly, Web threats are distributed over many hosts, each in small quantities. Any part of this picture might not, on its own, seem to be a threat, but link them together and the serious threat is clear. Thirdly, Web threats are cross-protocol, using multi-stage SMTP downloads, HTTP and Web-based messaging to orchestrate their attacks and, finally, they use a blend of techniques to spread their payload, potentially requiring multiple layers of protection. At the same time, a major change in the motivation and organisation of cyber-criminals has taken place, making it doubly difficult to track their activities. The age of the mass outbreak is over. The Worm_Downad (Conficker) in January of this year which infected millions of computers through a Microsoft RPC vulnerability was the first such outbreak for years, and while this is partly due to better patching and improved protection, it’s also a symptom of the changing motivation of cybercriminals. Today the major incentive for most of the cybercriminal underworld is financial reward - generating cash, by taking control of machines, securing bank details and passwords, and perhaps passing on these details to other parties to exploit. In this respect, a mass outbreak is counterproductive to their aims - they do not want to be caught, they do not even want to be noticed. Studies have revealed an underground digital economy that has sprung up around the trade in such vulnerabilities, with independent businessmen employing the services of malware vendors, and working with anti-detection and toolkit vendors to hide their payloads from detection. They recruit botnet vendors and hackers to disseminate the deadly payloads. Prices on the black cyber market are surprisingly affordable, with just US$100 a day buying you a distributed denial of service attack while $1,000 can purchase 10,000 compromised PCs. The growth in the volume of malware attacks meanwhile is phenomenal, rising from 1,738 unique examples in 1988 to 5.7 million in just the first six months of last year, according to AV-Test.org. Currently, we are seeing around 800 incoming threats per hour, and if they continue to grow at their current rate, by 2015 there will be as many as 26,500 per hour. New challenges The changing nature and burgeoning quantity of threats creates a number of new challenges for security vendors, but the response of the security industry has hardly changed since products first found mainstream adoption over a decade ago. Traditional pattern matching might have become more frequent, with some vendors moving from weekly to hourly or even half-hourly updates, but it is essentially still attempting to collect samples of malware and rapidly distribute it to endpoints. However, because of the nature of Web threats and the cybercriminals’ determination to go about their work undetected, it is becoming increasingly difficult to find a previous occurrence of what might even be a custom-tailored attack. Cybercriminals are also becoming more adept at developing huge numbers of malware variants with different delivery mechanisms. This means that firstly, pattern files searching for recognised signatures will get much bigger, increasing the demands on disc space, memory and CPU usage at the endpoint. Secondly, their deployment will take far longer and eat up huge amounts of bandwidth. Most worryingly, perhaps, even if update files still could be deployed, the disruption for the user while the pattern files update themselves and crunch through all the data would be so severe that users’ machines would regularly slow to a halt. By 2015, if we continue with the current approach to end-point security, the deployment overhead for IT operations in a large enterprise will simply be too much. A single pattern file update could take more than five hours to deploy through a company with 250,000 global employees, which is hardly a speedy response to what could be a business-critical threat. With companies receiving updates up to eight times a day, and many large organisations testing pattern files in a controlled environment before deploying them across the corporate network, the challenge of keeping up with the latest pattern file updates looks impossible. Network administrators would spend all their time managing updates, networks would be crippled by the constant updating activity and endpoint performance would be compromised. That is to say nothing of remote or mobile workers who may not even receive the updates until several days after they have been issued. Clearly a new response is needed which makes the most of the latest computing technologies and resources. The answer lies in transferring the burden for storage and detection intelligence to the cloud. This ensures minimal resource usage at the endpoint, consistent traffic flows over the network, the immediate handling of new threats and increased awareness of localised threats. The approach is a hybrid one because some threats will be caught at the gateway through suspect IP addresses or blocked senders and some locally through signature recognition. Although we talk about the cloud, a large enterprise twill still have to keep a copy of the threat database locally to minimise coverage latency (delay) to the end user. Protection network in action A current cloud-client, ‘smart protection network’ (SPN), consists of three elements: email, Web and file reputation management, as well as correlation between events and a customer feedback loop. It maintains a global network of threat intelligence data, which examines more than 50 million suspect IP addresses and URLs a day and, in total, processes more than five billion requests a day, providing comprehensive protection against all types of threats including new-style Web threats. It’s the combination of the three elements that makes a SPN so powerful in capturing Web threats, with the Network able to correlate between different events, such as a significant number of emails containing adware that points to a suspect link, or a suspect URL that downloads a piece of software that later becomes malware. The correlation between the different occurrences helps build up a global picture, and ultimately makes for a better threat database. The SPN also uses global feedback loops to track back from a security threat and isolate its cause, linking together research centres, customers and products and services. So, for example, if a spam email points to a suspect URL that is later linked to an occurrence of malware, the email will be instantly blocked at the local gateway, the URL blacklisted in the Web reputation database and the file pattern uploaded to the file reputation database. SPN is sometimes compared to an online version of the Neighbourhood Watch scheme, where citizens constantly look out for each other and head off trouble before it occurs. The days of the police officer on the beat trying to patrol every street, blowing his whistle and racing to combat crime after it has happened are long gone. SPN is a new approach that takes advantage of the latest technologies; traditional approaches are already being stretched to the limit and the situation is only going to get more challenging.