Two Tools to Hold Off Hackers
A growing number of companies are getting hacked: Sixty-four percent of organizations in 2009, compared to 50 percent the year before, said they had their networks breached, according to a recent Computer Security Institute study.
Many analysts attribute this trend to the growing sophistication and frequency of malware and hacking attacks. The problem is exacerbated by the complexity of software and systems; IT managers acknowledge the daunting nature of properly configuring and maintaining defenses across diverse and complex corporate networks.
Take firewalls, a central network defense. Many organizations have hundreds of them, sometimes spread across far-flung locations. The same companies have to keep up with hundreds and maybe thousands of configuration changes monthly. The result is frequent misconfigurations and policy and compliance failures, says Eric Maiwald, a vice president and research director at the Utah-based Burton Group. Manually examining configuration changes and the accompanying tickets, or orders, driving the changes, would be almost impossibly time-consuming, he says. Firewall misconfigurations are a big network security risk, he says.
It is also critical to understand network traffic flows. Hackers are growing increasingly adept at hiding traffic through common ports such as 80, typically reserved and kept open for Web traffic. They are also avoiding many existing detection techniques by encrypting their traffic, for instance.
Many networks are also plagued by botnets. Such malicious code can be hard to detect as it enters a network, often combining methods such as network sniffing and e-mail attachment-born malware. It is most detectable when ordered to act by remote Command and Control (CaC) servers.
There are ways to improve the odds against attacks, however, and to ease system security maintenance. One way of shoring up ongoing firewall deficiencies is with increasingly popular firewall management tools. With a relatively simple scan, IT managers can see how their firewalls comply with company policy and regulatory guidelines. Managers can also view audit-ready reports on regulations related to best practices, such as the Payment Card Industry (PCI) Standards, and laws, such as Sarbanes Oxley, concerning the security of third-party financial information. The newest versions of such tools can scan for problems on an ongoing basis and also produce “what if” scenarios, helping IT staff avoid configuration mistakes.
A separate type of network security tool that focuses on network traffic concerns network behavior analysis (NBA) devices. Also growing in popularity, such tools look for anomalies in traffic crossing an organization’s perimeter; they also may look at traffic within an organization. NBA tools can produce alerts and can be set to automatically block traffic that is headed to a suspect internet protocol (IP) address, for example.
In choosing any new tool, IT managers need to consider overall cost benefits and how the new application will affect the entire business, says Forrester Research senior analyst John Kindervag. Managers should aim to make an IT department’s life easier, he says, and avoid buying products “just because [they are] the cool one of the day.”
One company, Israel-based AlgoSec, produces a firewall management tool called AlgoSec Firewall Analyzer (AFA); the new FireFlow component can monitor firewalls continuously. Another company, Lancope, of Atlanta, makes an NBA tool called StealthWatch. It is adding functionality such as improved traffic detection, the ability to monitor virtual environments, and a new antibot capability. Following are highlights of how two companies have implemented these separate solutions.
For Ruza Manojilovic, the decision to start looking for a firewall management solution a couple years ago was driven by PCI compliance. Manojilovic, manager of security operations at Teranet, a Canada-based provider of e-services, had some familiarity with the AFA tool; it had been used by Teranet’s external auditor, Bell Canada.
Security was also an issue. The organization’s networking group, part of the larger IT department, had to make regular changes to Teranet’s 15 firewalls. Many of the changes were access-related, Manojilovic says. Certain support staff might need to access servers, such as those used by the company’s software development employees, for just a week or two, for instance. Such staff might need privileges that would ordinarily be part of another “firewall group.” Firewall rules could also change when a server was added or decommissioned. Such changes sometimes resulted in rules that were invalid or expired, however. Manually checking policies would have involved sifting through masses of data, Manojilovic says.
Manojilovic had seen the AFA solution in use and knew it was not very complicated to work with. She also liked that it could produce concise PCI and other regulatory reports. She wanted to ensure PCI compliance on an ongoing basis and tighten security by regularly running the tool herself.
Though she knew that it was easy to use, Manojilovic was surprised by how simple the solution was to set up. The most time-consuming part was the initial scan, which lasted several hours and gathered information on firewalls, ports, and routers. There was virtually no customization, she says.
Manojilovic now runs a scan and reads reports, taking several hours, about every other week. The reports produce an alert if changes appear to conflict with company and regulatory policies. Manojilovic compared the alerts to a separate spreadsheet she maintains that lists all the tickets, or change orders. She has yet to find any “major” security flaws, she says, but has identified open ports that should have been closed. External auditors would sometimes alert her to potential problems, telling her, for example, that too many employees appeared to have access to certain servers; Manojilovic would investigate and possibly fix the situation. But with AlgoSec, she can be more proactive and, “on top of [possible problems] much faster.”
She says AFA is one of the easiest tools she has ever used. The only simpler solution might be the company’s endpoint antivirus program, she says. AlgoSec’s interface is intuitive, graphical, and “pretty to look at,” Manojilovic says.
When she was interviewed for this piece, her staff was in the process of setting up AFA’s new component, FireFlow, which will include change-management capabilities. Company IT staff will be able to monitor whether any firewall configurations are out of place. Staff can also test the results of possible changes; FireFlow examines every potential packet a firewall or router may encounter, according to AlgoSec. FireFlow will help staff avoid mistakesand learn about company network security more quickly, she says. It will also improve workflow, freeing up some time for her busy staff.
She also says that both she and the networking side plan to eventually integrate another recent AlgoSec module that lets companies integrate the ticketing process into the products. This should dramatically reduce paper work and simplify the process of comparing report alerts to planned configuration changes.
It is difficult to estimate cost savings, she says, as value depends partly on how often the tool is used as well as on intangible security benefits. But she guesses she could be saving about $10,000 a year, mainly by saving the cost of external auditing and potentially reducing internal labor time. AlgoSec appliances come in two varieties, model 1020 (for handling 150 firewalls) and 1080 (for handling 1,000). Prices vary depending on license type and other factors, but the 1020 model starts at about $5,000 and the 1080 at about $15,000.
She has also been impressed with AlgoSec’s support. Teranet has needed support only about five times, Manojilovic says; a few times were related to minor set up challenges. But she says she typically gets a response within 24 hours, which she considers impressive, as AlgoSec’s support staff is in Israel.
A few years ago, Central Michigan University began thinking more about ways to protect its network, says Ryan Laus, network manager. Network attacks were becoming more sophisticated and commonplace. The Mount Pleasant, Michigan-based university had also had some brushes with some high-profile worms. No parts of the network were shut down, Laus says, but the successful worms spread fast.
At the time, he had little ability to peer into the network and stop the spreading. He did have both intrusion prevention and intrusion detection systems (IPS/IDS) on the network. But the tools’ ability was limited mainly because of their reliance on signature-based detection, Laus says. They were sometimes too slow to catch relatively unknown threats.
Laus looked at two NBA products, he says. One, Peakflow, from Chelmsford, Massachusetts-based ArborNetworks, was geared mainly toward larger organizations. It had more intelligence and visibility than a second product, StealthWatch, from Atlanta-based Lancope. But Peakflow, at about $100,000, also cost nearly twice as much, he says.
StealthWatch was simple to set up, Laus says. It involved installing software, which then analyzed routers and net flow, creating a baseline for future use, he says. Laus then did some configuration, mainly adjusting the sensitivity of the alerts. It took a week or two to lower false positives to acceptable levels, he says. He also needed to configure the management console, which mainly involved breaking the tool into different zones or buildings to make data more readable.
StealthWatch, which had been monitoring almost all of the university's public addresses for about a year at the time, has had dramatic security benefits, Laus says. It can detect a variety of traffic that might have gone unnoticed. If there’s a spike in traffic on port 25, normally reserved for email, for example, the StealthWatch monitor “will really light up.”
The tool can also be set to take automatic action in set circumstances. A sudden jump in traffic on a rarely used port, for instance, could trigger the tool to block all traffic to the destination IP address. The solution frequently blocks a wide assortment of anomalous traffic and activity on its own accord.
StealthWatch is easy to run, says Laus, who looks at reports once or twice daily. He likes to err on the side of too many alerts. “I’d rather it be a little bit noisy and make a decision myself on whether [an incident] is worth investigating.” The only other ongoing work involves installing occasional patches, he says.
Although Laus has no current plans to implement it, a free new StealthWatch tool, FlowSensor VE, can monitor virtual servers and desktops. Another recent development includes a partnership with Atlanta-based Damballa, which makes an antibot appliance and software tool called Failsafe. Failsafe tracks and identifies botnet CaC server communications. During the first phase of integration, Failsafe will feed StealthWatch the IP addresses of detected CaC servers from around the Web, according to StealthWatch. Another new Stealth Watch feature, Data Loss Alarming, alerts organizations about possible data leaks from the network to the Internet, according to Lancope. It provides details such as the systems involved and the amount of data transferred.
Laus says organizations of all sizes can benefit from StealthWatch. The vendor can scale the tool to different size companies, he notes. As for support, he has rarely needed assistance, he says, but when he has needed help, the company has been responsive.
He says he now has far more network awareness and control. “It really lets you peer into what the hosts are doing and at the traffic traversing the network.” He also has more confidence the network can keep going if attacked by a major worm, for example. He says StealthWatch is highly complementary to the university’s IPS/IDS systems.
It has never been more important for organizations to keep their networks secure. IT managers who are in need of better network insight should seek out a tool that is relatively simple to use and in line with wider company business objectives. Some organizations are successfully meeting such aims with firewall management and NBA solutions.
John Wagley is an associate editor at Security Management.