Unified security

The long view of security strategies for your network.

Sometimes it seems that we are looking at cyberattacks through pinhole cameras. We apply separate tools to monitor attacks on our perimeters (firewalls and intrusion detection/prevention systems), attacks mediated through malware (antimalware products), attacks mediated by deception (antiphishing solutions) and attacks on data in motion (traffic analysis and logging for networks) and on data at rest (system and application logging). Each component contributes valuable information but we rarely seem to correlate all the data into coherent cyber situational awareness.

I was reading an interesting essay about the importance of unified content security recently by Andrew Philpot, vice pressident of sales at Websense, makers of integrated Web security, data security and e-mail security products, for the UK and Ireland. His basic argument, supported with research from his own firm's research labs, is that "Unified content security allows businesses to manage risk without hindering legitimate business operations. Such a system understands the role that 'context' plays in the security decision-making process; it reaches across multiple communication channels, content categories, and usage scenarios to recognise potential security threats. It covers both external and internal security threats, preventing the loss or misuse of business data just as effectively as it stops traditional malware or perimeter security attacks."

As I was reading some of the details of Mr Philpot's essay, I looked up a research article by Chenfeng Vincent Zhou, Christopher Leckie, and Shanika Karunasekera of the Department of Computer Science and Software Engineering at the University of Melbourne in Victoria, Australia. "A survey of coordinated attacks and collaborative intrusion detection" [Computers & Security 29(1):124-140 (Feb 2010)] is summarized as follows in their abstract:

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Sometimes it seems that we are looking at cyberattacks through pinhole cameras. We apply separate tools to monitor attacks on our perimeters (firewalls and intrusion detection/prevention systems), attacks mediated through malware (antimalware products), attacks mediated by deception (antiphishing solutions) and attacks on data in motion (traffic analysis and logging for networks) and on data at rest (system and application logging). Each component contributes valuable information but we rarely seem to correlate all the data into coherent cyber situational awareness.

I was reading an interesting essay about the importance of unified content security recently by Andrew Philpot, vice pressident of sales at Websense, makers of integrated Web security, data security and e-mail security products, for the UK and Ireland. His basic argument, supported with research from his own firm's research labs, is that "Unified content security allows businesses to manage risk without hindering legitimate business operations. Such a system understands the role that 'context' plays in the security decision-making process; it reaches across multiple communication channels, content categories, and usage scenarios to recognise potential security threats. It covers both external and internal security threats, preventing the loss or misuse of business data just as effectively as it stops traditional malware or perimeter security attacks."

As I was reading some of the details of Mr Philpot's essay, I looked up a research article by Chenfeng Vincent Zhou, Christopher Leckie, and Shanika Karunasekera of the Department of Computer Science and Software Engineering at the University of Melbourne in Victoria, Australia. "A survey of coordinated attacks and collaborative intrusion detection" [Computers & Security 29(1):124-140 (Feb 2010)] is summarized as follows in their abstract:

Coordinated attacks, such as large-scale stealthy scans, worm outbreaks and distributed denial-of-service (DoS) attacks, occur in multiple networks simultaneously. Such attacks are extremely difficult to detect using isolated intrusion detection systems (IDS) that monitor only a limited portion of the Internet. In this paper, we summarize the current research directions in detecting such attacks using collaborative intrusion detection systems (CIDS). In particular, we highlight two main challenges in CIDS research: CIDS architectures and alert correlation algorithms. We review the current CIDS approaches in terms of these two challenges. We conclude by highlighting opportunities for an integrated solution to large-scale collaborative intrusion detection.

The authors begin with a survey of several coordinated attacks such as the SQL-Slammer worm of 2003 and the Storm worm of 2007. These attacks are typically "extremely difficult to detect since the evidence of the attacks is spread across multiple network administrative domains." The researchers continue, "In order to detect these types of large-scale coordinated attacks, we need the ability to combine the evidence of suspicious network activity from multiple, geographically distributed networks." They argue that CIDSs are essential to allow evidence gathered concurrently from multiple sources. They also argue for immediate (real time) processing rather than post hoc analysis of larger data volumes because "although coordinated attacks may be easier to detect at a later stage when the volume of attack traffic is large, the utility of intrusion detection would be diminished because by that stage the damage has been done."

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.