Roll up, Roll up. See the amazing feats as security vendors tame wild APTs and put Trojan horses through their paces, cries Eric Doyle
The RSA Security circus comes to town this week as the RSA Europe conference opens inLondon.
Normally, this show follows roughly the same pattern as the San Francisco shindig, held around six months earlier, but with a European spin. This year things will be a bit different.
When the circus pitches tent it will have the usual white hat tigers, black hat lions, and performing Trojan horses. But this year there will be clowns – all falling over one another to show how the Advanced Persistent Threat (APT) dwarf managed to slip between their bow legs and run off with their crown jewels.
A Cruel Lesson Shared
Maybe I’m being unfair but the facts are that in March, intruders managed to make off with ifnormation about RSA’s SecurID two-factor authentication service. Apparently it all started when staff who were looking for promotion received an email and clicked on the attached spreadsheet of opportunity.
All of which makes RSA, somewhat reluctantly, more of an authority on what to do about APT exploits, which will now feature strongly at the conference. There has already been, or there were plans for, a pre-conference summit where the security captains of industrycould swap tales of derring-do and heroic failures in the cut and thrust battles with the hackers.
Ringmaster Art Coviello, executive chairman of RSA, will open the conference and outline the year so far and the increasing threat landscape. The picture he will paint will be in shades of grey as this year we have seen hackers getting smarter, cyber-threats growing and the nation states entering the scene with espionage tools and supervisory control and data acquisition (SCADA) weapons of destruction.
One of the problems of APTs is that they are cunning, stealthy and drawn-out affairs. It’s a bit glib for anyone to say “Read the logs” because with thousands of lines in, possibly, hundreds of textual logs, it’s easy to miss the key entries. And it’s unlikely these days that the most telling lines will be flagged with a red exclamation mark or similar symbol.
What I will be looking for at the conference is how far the various security companies are addressing the new threats. The vectors are constantly changing and we are moving into a world where Big Data storage systems and cloud services uptake means larger data movements are commonplace. This can mask security and operational threats, especially the transfer of stolen data.
A Picture Of Health
There is also the issue of the stealthy tools that hide within a network and subtly go about their nefarious tasks without triggering established alarm systems.
Red Lambda is a company trying a different, visual analysis approach to the problem with its AppIron MetaGrid product. By applying neural network algorithms which it calls Neural Foam, the company has devised an analytical, self-learning system that can analyse “billions” of data records and represent them on screen as an array of clusters.
As time passes, the neural network algorithm continues to analyse the data records on-the-fly, reducing the information into a manageable set of clusters. This produces a bit-level anomaly detection image that can span years of use.
MetaGrid’s purpose is to make it easier to see anomalies arise using the data visualisation and exploration capabilities. Threats can be identified and security teams can drill-down and examine data for analysis of suspected intrusions or for forensic purposes.
Todd Krautkremer, COO of Red Lambda, said, “Threat signatures are no longer effective, what we really need to understand is threat scenarios that play out over long periods of time. If you can reel out a federation of multiple grids you can find anomalies that are threat-based , we can capture that as a metaprofile which can be shared across grids and used as a new kind of search signature.”
Sharing Across Company Boundaries
This links in to the kind of initiative that RSA is trying to kick start with its security summits – sharing of experience between organisations. Because the metaprofiles are shared as an image pattern, the possibility arises for companies to share these discovered anomaly patterns because the underlying data is not being exposed, only the interactions across the network. It also stretches this anonymity to the company that exposed the threat (or was exposed by it) because the untraceable profile can be passed through Red Lambda as a trusted third-party, for example, for circulation among other companies.
Visualisation appears to be a good way to filter out the humdrum alerts that spring up as seasonal changes in a network – for example, when an annual audit is underway. Using neural networks has the downside of a learning process but holds the promise of greater detection capabilities as time passes.
Red Lambda’s product is just one among many of the new approaches and there should be several new tricks to be seen at the RSA circus. As always, RSA hopes for more. When the big top is taken down, and the trailers drive off into the distance, it wants to send the the audience will feel they have seen have seen – to paraphrase PT Barnum – the Greatest Security Show On Earth.
Before the show starts, however, APT threats have shown us the truth in another of Barnum’s phrases. When threats emerge, there is a sucker born every minute.