CXO

Cyber Advanced Warning System sounds the alarm on security threats

Cyber Advanced Warning System is a service from NSS Labs that proactively determines a business's security status. Get more details about the warning system.

Image: NSS Labs

NSS Labs, known for its independent testing of information-security products, has been in the industry for many years. That longevity affords the company a unique perspective of today's businesses and whether their security measures are effective.

From a 2015 white paper by NSS Labs: "In the face of a growing attack surface and mounting global losses from cybercrime and cyberespionage incidents, companies wishing to remain operational in a digital world spend increasing amounts on security products as they seek answers to three key questions."

  • How are attacks blocked?
  • How does a company know it has been compromised?
  • What happens following a compromise?

A fourth, and even more critical, question

The people at NSS Labs suggest that something else is needed. "Clearly, a new approach for cybersecurity and risk management is required," the paper mentions. "While the preceding questions are undoubtedly important, and the products supporting them are necessary for a robust security strategy, there is a fourth question that is even more critical." That question is: How do companies avoid compromises?

NSS Labs tries to answer the avoidance question by harvesting and then analyzing the following threat information.

  • Capabilities of the Adversary: There is an untold variety of malware in the wild; all of it is useless unless the malware can be installed on the victim's computer via an exploit kit. Since the number of successful exploit kits is far less, NSS Labs prefers to focus attention on exploit kits more so than malware.
  • Security Product Failure: No antimalware product, according to NSS Labs, is 100% effective. So NSS Labs channels its effort to identify what's slipping by the products.
  • A Vulnerable Target: All the different application, browser, and operating system combinations come under consideration. "It is vital that the exact target vector is determined for each attack launched by the threat actors," explains the white paper. "From that, the question becomes 'Am I running that specific version of application with that specific version of operating system?' If not, then you are not vulnerable, despite the failure of your security products."

Cyber Advanced Warning System

To fill the cybersecurity and risk management void that NSS Labs feels exists, the company recently introduced Cyber Advanced Warning System (CAWS) — a service that proactively determines a business's security status.

The NSS Labs technology underpinning CAWS is called BaitNet: a cloud-based sandbox environment used to test endpoint and network security products. BaitNet consists of two sub-components: Capture and Replay.

Capture gathers suspicious URLs from open-source, commercial, and clients of NSS Labs threat-information repositories. The compiled URLs, in particular those containing exploit kits, are passed to a controller, which spins up Virtual Machines (VMs), and directs the VMs to visit the malicious URLs. Each VM will:

  • Have a unique combination of operating system (including service pack/patch level), browser, and end-user application.
  • Run only one version of any application, allowing BaitNet to decide if that application and operating system combination is vulnerable to the malicious website's exploit kits.

If a compromise is discovered, the entire VM session is packaged and sent to Replay, the second component of BaitNet. Replay's controller distributes the session across the BaitNet test harness consisting of VMs matching the configuration of the infected host. The idea behind BaitNet is to mimic the operation of a typical user when clicking a URL within a browser and then analyze the results.

"Note that CAWS will only raise an alert if a current exploit is capable of bypassing all of your security products," cautions the white paper. "Should one of your users fall prey to the attack, no evidence of it would appear in any of your logs."

In essence, CAWS is a safe way to decide whether all facets of a company's security platform are safe.

An additional feature is CAWS's ability to work out whether using multiple security applications together is of any benefit. "CAWS might indicate today that a next-generation firewall missed 20 exploits; an intrusion-protection system missed 15; and an endpoint protection platform missed 10," from the NSS Labs website. "However, because the three products are complementary in terms of coverage, the count of Relevant Threats (i.e., those threats that bypass all security products in the stack) is zero."

Also see

Disclaimer: TechRepublic, ZDNet, and Tech Pro Research are CBS Interactive properties.


About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox