By Ruby Bayan

Firewalls and antivirus applications used to suffice. When
intrusions gained momentum, security staff worked late coding patches and hot fixes.
But now that “zero-day exploit” is the name of the game, security
experts struggle to devise ways to defuse malware and other nefarious intent
before catastrophe strikes.

An early warning solution would be an asset, especially to a
global enterprise with thousands of network devices serving millions of
customers. Fortunately, such “security alarms” are now available. Our
experts recommended the leading brands, along with strategies on how they can be
deployed most effectively.

Consider flow-based detection with zone-based policies

“Initially an intrusion-detection appliance, StealthWatch is designed to
identify zero-day, unknown, and undocumented attacks by alerting network teams
about ‘not normal’ network traffic,” according to Chris Hovis, VP of marketing and business development at Lancope,

StealthWatch is a
standard, rack-mount PC running a hardened Linux operating system that
passively watches traffic on the network and rates the suspiciousness of new traffic
by comparing it to recognized traffic. It can tell what is normal by gathering
baseline statistics, then uses complex algorithms and network heuristics to
rate suspicious events according to a concern index that shows how unusual or
serious the event might be.

Hovis gave an example: “Say you have a Web server that
you do not use for FTP, and one day that server starts to service FTP requests.
StealthWatch will send an alarm to the administrator with a notice of an
important change. In this example, the administrator may find that a hacker has
compromised the server and is using it to distribute pirated software or

StealthWatch categorizes network traffic into
“flows” to profile activity and detect nefarious behavior. It quickly
identifies known or unknown attacks, internal misuse, or misconfigured network
devices, regardless of packet encryption or fragmentation.

Along with flow-based network anomaly detection,
StealthWatch offers zone-based security policies. Network administrators can
configure groups of hosts, adapting them to the logical or hierarchical security
structures and methodologies of the organization.

Close the gap between prediction and mitigation

According to Stan Quintana, VP of managed
security services at AT&T, “the premise behind any product/tool that
offers analysis and protection is (a) how good and predictive the intelligence
being gathered is, and (b) the velocity in which that information can be turned
into a mitigation solution.”

AT&T Internet Protect Service
boasts true predictive information on worms, viruses, D/DoS, and other types of
attacks that develop in the network. AT&T notifies its clients within
minutes of detecting malicious activity and cyberattacks, and recommends necessary actions to mitigate the event before damage
sets in.

“The advantage of having predictive information lies in
the ability to quickly turn this information into security rules that can
mitigate the security event on a real-time basis,” said Quintana.

More important, Quintana said, customers should also have
systemic policy management practices in place so that the security
infrastructure is current with the changing face of the risk environment.
“In addition, having overall management and monitoring, and incident
management capabilities, are critical to ensure that the security landscape is
addressed on a holistic end-to-end basis,” he advised.

Don’t forget the employee desktop

“As the effectiveness of network and perimeter security
diminishes, hackers have begun to utilize the employee, which can be the
weakest link in an organization’s security infrastructure,” according to
Dan Hubbard, director of product and systems analysis at Websense.
Therefore, any complete security strategy for organizations should include
protection at the employee desktop level, he said.

Hubbard recommended the Websense Enterprise Client Policy
(CPM), an add-on module to the Websense Enterprise content
filtering suite, which delivers zero-day protection against unknown security
threats and prevents the execution of unauthorized applications.

For reporting, Hubbard proposed Websense Enterprise Explorer
for CPM, an interactive, Web-based forensics and analytics tool that enables
IT/business managers to quickly detect malicious activity such as spyware, Trojan
horses, and hacking tools before antivirus signatures are available.

Understand your “threat-target” situation

When asked what tool to best deploy so that network
administrators can be alerted long before an intrusion wreaks havoc on the
system, Tim Keanini, CTO of nCircle, called attention to the
two dimensions the question needs to address: the threat environment and the
target environment.

“Both (environments) are very dynamic and the advantage
is defined as your ability to have more accurate intelligence than your
adversary,” Keanini said.

“There are non-commercial ways to track the threat
environment, such as security mailing lists, public Web-portals, and IRC
(inter-relay chat), but these come at the cost of your and your staff’s time.
Commercial products like iDefense’s iALERT deliver early warning to network
administrators and managers of changes in the threat environment that ‘may’
affect them—new vulnerabilities, new exploits, new worms, and even geo-political
events that may have relevance to an organization’s IT infrastructure. I use
the word ‘may’ because until the network administrator has intelligence about
their own systems, they don’t know if this intelligence is relevant.”

Keanini added, “The target environment refers to the
networking infrastructure you manage.” The attackers look for targets to
exploit, the scope of which is not just one particular operating system or
application, but the weaknesses associated with all devices connected to the
TCP/IP network and all its applications.

“If you know worms depend on vulnerabilities that
facilitate remote code execution, where on your network right now does this
class of vulnerability exist? Where are you misconfigured?” Keanini
suggested using nCircle’s IP360 to find the

“The IP360 takes knowledge from the threat environment
and then proactively checks for these weaknesses on your target environment,
making them both relevant or not, as the case may be,” said Keanini. The
automation allows you to perform this due diligence on a daily basis,
effectively measuring security independent of attack or incident, he said.

Keanini further emphasized the importance of proactive over
reactive measures when deploying solutions that aim to beat intruders to the

“The environment you secure is dynamic, so how can you
know how much security is enough if you don’t know the current state of your
environment? Proactive security measures help organizations understand their
environment and their risk on a daily basis so the ‘right’ amount of resources
can be applied for protection. Detecting your vulnerabilities and managing the
corrective measures prior to any incident or loss is what proactive security is
all about.”