Defending the defense industry

Raytheon is a $20 billion defense technology company with about 73,000 employees and customers from around the globe. Jeffrey Brown is CISO and director of infrastructure services for the firm, which means he’s responsible for traditional security functions in addition to metropolitan networks and WANs. “I have no one to blame if things don’t go right,” he puts it. What has Brown most concerned these days is the onslaught of socially engineered attacks brought on by new spamming techniques. We talked to him about the next-generation tools required to combat such threats, as well as some of his techniques for fending them off in the meantime. He also discussed the challenges inherent in providing identity management in a large company that has to meet strict U.S. and international security standards.

Why did Raytheon lump responsibility for infrastructure services together with security in your job description?

The thought was, it’s an end-to-end process: A lot of security is dependent on the network architecture. The network architecture has to support the inbound and outbound traffic through the Internet gateways and must be integrated with security services.

What is the reporting structure? Are you part of the IT group?

Yes, Raytheon places a pretty high priority on IT security. I report directly to the CIO, and she reports to the CEO.

What are your more pressing security issues these days?

Without a doubt, the most pressing problem is the explosion of the socially engineered attack. [Ed note: Socially engineered attacks require the user to take some action, such as clicking on a URL, for the attack to succeed.] There have really been three different chains of events that have come together to make it a very different threat environment than we faced just a few years ago.

First, we’ve done a pretty good job closing down a lot of the traditional malware ingress points on our perimeter — the open ports and the open services. But we have to leave open e-mail and Web browsing to conduct business, there’s just no way around it. Add to that the emergence of botnets and the mass-mailer spamming techniques that botnets facilitate, packers that allow you to compress executable files, encryption techniques that obscure signatures that antivirus systems look for, and polymorphic coding techniques that allow attackers to automatically produce thousands of unique variations of malware — which for all intents and purposes are all zero-day attacks. When those things all come together, the result is this explosion of socially engineered attacks. It really fundamentally changes the battlefield. While our traditional, signature-based perimeter and desktop defenses are still absolutely necessary, I don’t think they’re sufficient any longer. The industry is still working to improve behavior-based techniques and detection systems to make them more scalable and portable.

Is this why I’m getting lots of spams these days that have a similar look to them but aren’t caught by my spam filter?

It is certainly a big part of it. Because they’re all just slightly different.

You say behavioral tools are still maturing. What kinds of things are you looking for in those tools?

The tools really have to detect what a piece of malware does on the system and the trail it leaves behind. There are behavior-based tools out there that purport to do that in real time, but there are none that seem to be able to catch it all and do it on a large scale.

So you’ve tried some of these tools?

We’ve experimented with them, yes. They all have a niche and can catch certain classes of events. But none of them so far tend to be broad enough.

What about filtering out certain types of e-mail attachments like JPEG and WMV files as a way to combat these threats? Is that a feasible or helpful thing to be doing?

It’s certainly helpful. Raytheon blocks quite a few file types, and we track the volumes pretty closely, between the ones that we block and those we don’t block. Anything that looks like it’s executable we’ll block wholesale. There’s no reason to pass an executable file as an attachment.So we block the whole range of executable files — EXE, DLL, there are probably a couple dozen. But you always have to balance your risk with your business requirements. As much as you may want to block files from applications with known vulnerabilities, you can’t simply block large classes of file types without stopping your business. You have to rely on whatever help antivirus can give you and user training to avoid opening attachments from untrusted sources.

Are there tools that let you block file types for some people but not others, to try to balance your risk with business requirements?

I suppose there’s a way you can do that with firewalls, either at the perimeter or on the desktop. But I’m not sure if it’s all that feasible or effective. The overhead in managing that would be tremendous. It would be more feasible to block a file type and let users know that they can get a trusted source to rename the file to a different file type. After all, the problem is not inherent to the file type. The problem is generally the fact that the file comes from untrusted sources and you open them out of curiosity.

What about disabling HTML e-mail — is that a realistic option?

We looked at that, but with an enterprise this size, we have a lot of outsourced functions that rely on HTML-formatted e-mail to get information to the employees. So we just really haven’t gone down that road. It hasn’t passed the cost-benefit test yet.

How important is it to filter outbound traffic, to find Trojans or bots that are sending things out?

We always filter, because there are certain things you just don’t want to go out. A server that has no business surfing the Web, you’d block that traffic from going out. But the biggest part of it is monitoring the outbound traffic.

Traffic analysis, which is really what you’re talking about, is where the industry has to go in today’s environment. With all these zero-day attacks, you have to assume that some percentage of them is going to be successful. That really places a premium on quickly detecting the command/control links going back out, and any other communications going back out, because you have to backtrack into the compromised computer. And that takes a lot of CPU power and it takes a lot of creative thinking and curiosity if you’re going to sort through all the proxy logs, DNS logs, netflows and even full-packet captures. It also places a big premium on knowing what’s normal in your network so you can pick out the malware from background noise. The current generation of security event managers are a big help. They fuse all the information and sort through the noise, then present — to the extent that they can — just the important alerts. They are a real step forward. But a lot of traffic analysis is brute force, stubby-pencil detective work, because the threats change so much and every piece of malware has different characteristics. You can’t just rely on the tool.