News

Experts Say Perimeter-Based Security Not Enough

• By Rutrell Yasin
• 12/08/2009

Protecting network systems from security threats will not get any easier in 2010, and the security community will have to address issues that haven't gotten a lot of attention in the past few years, according to security experts speaking at the Government Technology Research Alliance Council meeting.

Existing processes and technologies are not getting the job done because organizations and industry vendors are too focused on protecting network perimeters, said Amit Yoran, chief executive officer of NetWitness, at a luncheon Dec. 7. He is a former director of the U.S. Computer Emergency Readiness Team and the Homeland Security Department's National Cybersecurity Division.

Most IT security tools are signature-based, which means they focus on known threats and cannot meet the challenges of emerging advanced threats from criminal organizations and nation-state adversaries, Yoran said. In today's organizations, it is impossible to define where perimeters and boundaries are and where data is located.

"The security market is almost focused on network-layer activities, which is useless against advanced threats," he added.

Randy Vickers, the current director of US-CERT and DHS's National Cybersecurity Division, agreed that the security community must go beyond signature-based detection.

"We have to get more robust detection," Vickers said. Intrusion detection and other signature-based tools are limited because they force security operators to act on what they know, not what could be happening.

But there's a risk to moving to a more heuristic detection approach, which uses past experiences to make educated guesses about present network behavior. When organizations move into more behavior-based anomaly detection, they might collect sensitive data such as medical information, Social Security numbers or other information protected by rules or legislation, he said.

"I'm not talking about deep packet inspection but normal types of anomalous information," he said, adding that there is concern about how DHS and other agencies collect data. "If we can't get past those issues, we will never get to the point at the enterprise level where we are looking at things in a heuristic way."

DHS will focus on prioritizing threats, managing risks in cyberspace and encouraging security innovation in the coming year, Vickers said. Officials will emphasize building on programs that stress information sharing with security operations personnel and chief information officers, he said.

Meanwhile, Yoran offered his list of cyber threats that are bound to keep security experts awake at night. They include:

• Attacks that continue up the network stack, affecting applications.
  
  
• A continued focus on Web- and e-mail-based delivery of attacks. "We have no effective method to police or patrol Web traffic," he said.
  
  
• Custom malware.
  
  
• Increasing challenges in incident response. Attacks will attempt to shut down command and control channels.
  
  
• An expected increase in the prevalence of sleeper software.
  
  
• A rise in attacks that target mobile computing platforms.