Despite 20 years of research and development in the information security industry, high-profile, damaging breaches are at an all-time high. Almost every week we hear about the compromise of supposedly hardened assets such as Symantec's AV source code, Epsilon's prized email list and Sony's PlayStation Network. Even information security powerhouses such as RSA Security have fallen victim.

As information security techniques have evolved, so have the attackers’ methods and motivations. Further compounding the dilemma is a rapidly shifting IT landscape full of technologies such as cloud computing, high-speed 10G+ network cores, IPv6, and the blustering world of social media. While many CIOs and CISOs certainly wish for an infosec endgame, the unfortunate truth is that network security is an ever evolving arms race in which rapid change is a way of life for those that wish to survive.

A Journey, Not a Destination
 

Information security has a history of one-upmanship. As new methods are developed to deal with risks posed to the enterprise, attackers find new avenues of attack, often taking advantage of emerging technology trends. In the late 90s, we saw the use of simple computer viruses and fast spreading worms. The risk was often network downtime and loss of user productivity due to lost files or slow and unresponsive workstations. IT security personnel countered these threats with firewalls, host-based anti-virus programs, and intrusion detection technologies that leveraged signatures and port-based blocking mechanisms.

Over time, attackers realized that loud, obnoxious worms and viruses were easily detectable and easily countered. Throughout the late 2000s, a shift to "low and slow" botnet-based attacks often obfuscated by encryption or non-standard port tunneling took hold, and the arms race continued. The security industry answered with dedicated data loss prevention technology, smarter firewalls, and security information management systems.

Fast forward just a few short years to 2011, and we see the dawn of hacker collectives such as Anonymous and LulzSec. The age of the directed attack or advanced persistent threat (APT) has arrived. This new brand of attack is driven by a variety of motivators including:

• Governments and state entities realizing the value of cyber warfare
  (i.e Stuxnet, Operation Aurora)
• Political, religious, and patriotic motivations
  (i.e hacker collectives such as Anonymous and LulzSec)
• The anti-sec movement, and a desire to "teach the security industry a lesson"
  (i.e RSA, Stratfor, Symantec, HBGary Federal)
• A desire for notoriety
  (i.e copy cat attacks resulting from Anonymous and LulzSec)
• Monetary motivators resulting from a sharp increase in cyber spending over the last 5 years
  (i.e record setting in holiday season of 2011)

To combat these new threats, infosec professionals look to the security industry for innovative new methods to address the infosec arms race. One such answer can be found in the emerging field of network flow analysis.

Know Your Network, Run Your Business:

Information and Visibility Win the War

Network security monitoring systems such as Lancope's StealthWatch technology are on the cutting edge of the modern security practice. Leveraging NetFlow, IPFIX, sFlow, and other network flow accounting technologies, the StealthWatch System brings a new lens to the information security landscape. Flow-based network security provides a wide range of benefits including:

• Situational awareness across the entire network on a 24x7 basis. Anywhere you have Cisco equipment you have coverage. Flows are used to create hundreds of reports that detail the activities of users, applications, attackers, and more. Flow logs found within the StealthWatch FlowCollector contain a complete account of everything that has happened on the network. You're never in the dark.
• Rapid detection and response without the need for signature updates. Lancope's StealthWatch System leverages behavioral analysis and statistical algorithms to detect and alert on suspicious network transactions and behaviors.
• Simplified virtual network visibility. Many virtual platforms such as Cisco's Nexus 1000v, Citrix Xen, and VMWare's ESX 5.0 support flows natively. No native support? No worries. Lancope provides a software-based flow visibility tool called the FlowSensor VE that easily installs and provides coverage for virtual areas that don't support flows natively.
• Affordability and ease of deployment. Lancope's StealthWatch System leverages existing network infrastructure to gather flows and analyze network behavior. There is no need for expensive 10G packet capture devices since devices such as Cisco's Catalyst 6500, 4500, and 3750-X provide the flows that are needed to detect threats.

So while the threat landscape continues to evolve, so do the countermeasures available to the modern infosec warrior. As you plan for 2012 and beyond, be sure to consider the power stored away in your routers and switches. It's already there. You just need to select a flow collection and analysis system capable of making sense of the flows. Lancope's StealthWatch System is a powerful technology that can serve as the next countermeasure in the continuing infosec arms race.

LinkedIn is one of the most important social media sites on the web. They have over 101 million members, including executives and engineers from every Fortune 500 company.   When you signup to Lancope's NetFlow Ninjas group you can participate in the most recent discussions of how NetFlow enables monitoring tools to collect NetFlow packets exported from enterprise routers and switches, generating network traffic reports that help understand the nature of the network traffic and bandwidth utilization.  

It is clear that there is a surging momentum behind the adoption of NetFlow as the de-facto protocol for network monitoring and by joining the 'NetFlow Ninjas' LinkedIn group you may  participate with some of the leading figures in this exciting technology explosion.  Click here to join the LinkedIn NetFlow Ninjas.

This CSIS report summarizes the new defense requirements for protecting cyberspace from escalating cybercrime. Although the cybersecurity industry is full of recent publications about new attacks and security breaches, it is difficult to summarize the extent these damages. Here are just a few facts taken from the CSIS research:

High-end cybercrime takes two forms. Criminals steal intellectual property (IP), either at the behest of a government or for their own use. Even small companies can be a target. Estimates of these losses are in the billions of dollars. Germany, whose economy is one-quarter the size of the U.S. economy, estimated its own IP losses due to industrial espionage at $25 billion to $50 billion, the bulk of which results from weak Internet security. Most companies do not report losses and may not even be aware of them. When Google was hacked, only one other company reported a potential loss, even though we know that more than 80 major companies were victims.

Advanced cyber criminals have capabilities that approach those of national intelligence agencies, and some criminals have close relationships with their governments. A flourishing black market supports cyber crime. In it, you can buy the latest malware, learn of recently discovered vulnerabilities, or rent “botnets” (thousands of computers remotely controlled for criminal purposes without the computer owners’ knowledge). Credit card numbers, personal information, and bank account data can be bought in bulk. Some sellers offer guarantees.

Cyber criminals also target the financial system, going after automated teller machines (ATMs), online bank accounts, and credit cards. Some crimes have been spectacular: one Russian gang took $9.8 million from ATMs over a Labor Day weekend. The chief planner is not only still at large, we do not even know his or her identity. Where law enforcement is weak, cyber criminals are safe.

In 2012 there are dozens of slated private and federal initiatives that move forward towards resolution of these issues. Many of these initiatives embrace flow-based monitoring solutions and real-time network behavioral analysis. The Lancope website contains a wealth of information about network security.

Everyday businesses, governments, organizations, schools, and consumers extend the reach of information and communications technologies. Our modern culture is interconnected by information technologies – and irreversibly dependent on it. The increased adoption of information technology has also been accompanied by the development of a new set of cyber threats:

• Advanced Persistent Threats (APTs)
• Insider threats
• Industrialized attacks
• Employee misuse & abuse
• Fully automated attacks

Just take a moment to grasp the extent of these cyber attacks:

• Hackers take down CIA website, steal Sony user data and cause mayhem for Google online security.
• Epsilon, the largest email marketing service company in the world, announced it was hacked by a group targeting the company's email lists.
• A cyber war may be on the horizon after Google accused hackers in China of breaking into the personal email accounts of US officials
• Governments, IOC and UN hit by massive cyber attack
• The Pentagon has responded saying it will consider computer sabotage an act of war and would consider responding to such acts as it would any other threat to the country.

This list is just the tip-of-the-iceberg, as sitting below the surface of these six articles are thousands of other stories about the increase in cyber threats. Obviously, this is a topic that we need to understand and Adam Powers, Lancope's CTO, will explain how to harness the latest developments in enterprise-ready flow collection and analysis solutions to help combat these threats.

Here is a brief quote from Obama's proclamation:

“As we navigate new and uncertain challenges in the digital age, we must also address the growing threat cyber attacks present to our transportation networks, electricity grid, financial systems, and other assets and infrastructure.  Cybersecurity remains a priority for my Administration, and we are committed to protecting our critical infrastructure by taking decisive action against cyber threats. To ensure the safety of our most vital operations, we are working to give public and private organizations the ability to obtain cybersecurity assistance quickly and effectively. These efforts will bolster our ability to withstand any attack, whether virtual or physical.”

In combination with this new proclamation the House Permanent Select Committee on Intelligence approved a bill to facilitate sharing and pooling of “cyber threat information” between private companies and government intelligence agencies. This bill is seen as controversial from different groups as it potentially punches an enormous hole in the wiretapping laws that have, for decades, been a primary guarantor of our electronic privacy. It is beyond the scope of this blog to address this issue, however the most fascinating part of this bill is the definition of what constitutes a cyber threat:

Information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of a system or network from—

(A) efforts to degrade, disrupt, or destroy such system or network; or

(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

To understand more about today's prominent cyber attacks we recommend you attend Lancope's complimentary webinar “Leveraging Netflow to Combat Today's Most Prominent Cyber Attacks.” Participants will learn about the types of cyber attacks they need to be prepared to address in 2012, and how NetFlow can help improve their security strategy for the new year and beyond.

“The leading provider of flow-based monitoring to ensure high-performing and secure networks for global enterprises. Unifying critical network performance and security information for borderless network visibility, Lancope provides actionable insight that reduces the time between problem onset and resolution.

Enterprise customers worldwide, including healthcare, financial services, government and higher education institutions, rely on Lancope to make better network decisions and avoid costly outages and downtime. Founded in 2000, Lancope is continuously innovating to stay ahead of customer demands and marketplace trends, holding five patents and more than 130 proprietary algorithms.”

There are two approaches for analyzing Lancope from the government's perspective. First we can look at specific government contracts and view how the government is utilizing the StealthWatch product family:

In light of increasingly sophisticated and high-profile cyber attacks, it became clear to this organization that implementing the minimum requirements to comply with federal regulations was no longer enough to adequately protect its critical assets. The organization therefore decided to move from a reactive to a proactive security strategy, going above and beyond traditional, perimeter-based security tools and embracing innovative solutions that would provide more comprehensive protection

“How do we get better situational awareness of attacks within our target-rich environment?” asked the organization’s chief security architect. “How do we stop reacting and start hunting?” In order to improve its security posture, the organization implemented a defense-in-depth strategy consisting of a set of innovative, complementary security technologies, including Lancope®’s StealthWatch for behavioral-based network monitoring and anomaly detection. Overall, the organization wanted to increase its situational awareness and improve incident response. “We have a target-rich environment that has been (and will continue to be) attacked,” said the chief security architect. “We need to detect these [attacks] sooner, and be able to rapidly investigate and respond.”

After reading these press-release based articles I still wanted to see, from a deeper perspective, the issues that were driving the federal agencies to rapidly adopt the Lancope StealthWatch product family. As you can imagine, for every government decision there are ten research/case studies and then several dozen official reports to Congress. Within a few hours of research I gathered the following set of documents that trace most of the issues surrounding the adoption of Lancope's StealthWatch.

Comprehensive National Cybersecurity Initiative: http://www.fas.org/sgp/crs/natsec/R40427.pdf

Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations: http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf

Guide to Intrusion Detection and Prevention Systems (IDPS): http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf

The fiscal 2011 Federal Information Security Management Act reporting metrics for CIOs: http://gcn.com/articles/2011/06/06/%7E/media/GIG/GCN/Documents/FISMA%20reporting.ashx

Managing Information Security Risk (Organization, Mission, and Information System View): http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

Fiscal Year 2010 Report to Congress on the Implementation of The Federal Information Security Management Act of 2002: http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/FY10_FISMA.pdf

At first this list of documents may seem a little daunting, but after spending several hours of reading I came away with a serious respect for the teams that assembled these reports. These documents taken as a whole layout the ground-work of information security management. Over the new few months I will dive into the content of these documents and how they relate to StealthWatch.

So, how does the world want to dampen my great holiday attitude now that I am done shopping for gifts? How about a new wave of scammers, cyber-criminals, and hackers just waiting to swoop in with a new breed of DDoS attacks created just for the holiday season. Worries about "denial-of-service outages are the name of the game for online retail organizations during the heavy holiday shopping season," Adam Powers, CTO of Lancope, told eWEEK. Adam continued the interview with some insights into legitimate oversubscription DoS scenarios. The critical back-story to this article is the necessity of organizations to check their infrastructure to make sure they can handle increased network traffic and capacity. With a flexible hosting environment (or cloud site), network monitoring strategy and proper security gateways these problems can be mitigated.

"The bottom line is that retailers and other blue-chip corporations need to improve their defensive posture against DDoS attacks, as criminals and hacktivists have significantly increased the frequency and sophistication of DDoS attacks they employ," said Mike Paquette, chief strategy officer of Corero Network Security.

Here the full article published in eWeek: E-Commerce, Retail Websites Alert for DDoS Attacks this Holiday Season

For the Employer:

Your primary responsibility is education. Users will inevitably purchase items with a corporate credit card. They will use a generic corporate account to log into the Staples portal. They will participate in the holiday frenzy with your equipment, and if they make mistakes your business is at risk.

Also, expect network performance during "Internet free-time" at lunch to diminish as workers clamor to get shopping done during their breaks, especially in large office buildings with high concentrations of hourly workers. If you’re a network administrator, watch those pipes to see if there are congestion problems. If you're approaching capacity you might want to suggest that workers shop from home. Be firm but honest with them about the challenges of traffic surges resulting from holiday ecommerce shopping. If you're a network security admin and your Internet connection or firewall state tables are already running hot, you might want to brief your users on the potential dangers associated with careless online shopping.

For the Online Merchants / Retailers:

Denial of service outages are the name of the game for online retail organizations during the heavy holiday shopping season. DoS problems manifest in two ways for the retailer:

I. Legitimate Oversubscription

A recent poster child for a legitimate oversubscription DoS would have to be Target's launch of the Missoni clothing line. High demand for the Missoni product line brought Target's online commerce portal to its knees. Shoppers were unable to access the site in a reliable manner for almost 24 hours after the launch. Online deal finders such as theblackfriday.com and mobile apps like BlackFriday can lead to a sudden influx of web requests, overwhelming the commerce portal itself. Note to consumers: Shop early! Especially if you’re on the West Coast.

II. Malicious DoS

Another major threat to an online retailer, especially those with a strong brand, is malicious denial of service attacks. Criminal elements can take advantage of events such as Black Friday to extort money from retailers. Hacktivists are also given a unique opportunity to ride the wave of media coverage that follows the big holiday spending days by launching an attack at that time. 

For the Consumer:

Socially engineered attacks will be out front leading the charge this season. Facebook especially has created an opportunity to put malicious code in front of the user in a comfortable environment. Attackers know that users will click on just about anything to save a buck, and during the holiday season they'll click twice. Many consumers have paid down credit cards and saved up cash in anticipation for the shopping season. In short: holiday shoppers are ripe for the picking. Holiday predators rely on numbers. While their methods are often crude, if you put a "Take this survey and win a free iPhone!" link in front of enough people, someone will bite. Fortunately these "industrialized attacks" are easily thwarted through rational online shopping habits such as:

• Make sure you are browsing the website using https:// versus http://. This will ensure your session with the merchant is encrypted and free from snooping with simple session capture utilities like Firesheep. Also, be on the lookout for strange certificate errors that occur while checking out.
• If you have any doubt at all about an email's origin, don't follow any links found within the email itself. If you receive an email touting a great deal, enter the website of the vendor directly into the browser address field.
• Make payments using an actual credit card rather than your check card. Giving an attacker direct access to your cash just before Christmas could spell disaster.
• Limit exposure where you can. Don't create a user account unless you have to and DO NOT allow the online vendor to store your credit card info for later use. It doesn't take that long to enter the credit card information again if necessary.
• If the deal seems too amazing to be true, it probably is. Ask yourself what the motivation is behind the vendor's sudden willingness to part with profits - especially when faced with an ad like "New iPad 2 for $199.00 - ONE DAY ONLY!" Has anyone ever known Apple to discount anything through a retailer? Obvious scam. While they aren’t all so obvious, a bit of cool reasoning can greatly reduce the attacker's likelihood of success.
• If the site wants you to authorize a Facebook app or install any kind of additional software, don't bother.

The Criminal Advantage:

According to ComScore, retail commerce spending for Nov-Dec 2010 was $32.6 billion, up 12% over 2009. Online shopping is getting easier and more prominent than ever before as mobile devices are finally finding their place as a virtual mall in the consumer's hand. ComScore estimates that 90% of consumers will use their phones to shop for holiday gifts this year. Criminals now have multiple venues to host their attacks. From the consumer's PC to their phone, the number of potential attack vectors is increasing. While email has long been the go-to medium of attack, other delivery methods such as SMS, Facebook Messaging, and malicious links in blogs are also gaining popularity.

The holiday season provides the perfect storm for the motivated cyber criminal: excited, hurried victims with lots of money and a willingness to spend it. And if 2011 taught us anything about today's cyber security landscape, it's that no company is safe from headline-making breaches. Sony Entertainment, Epsilon, RSA Security, Marriott Hotels, the list goes on and on. If these sophisticated organizations aren't safe from compromise, what chance does the consumer have?

The answer lies in education and defense in depth. The unfortunate truth about modern network security is that it is a continuously escalating arms race between the professional IT workforce and the cyber criminal underworld. Events like Black Friday place the consumer directly in the crossfire.

Several common themes come to light that offer direct business and organizational value when deploying StealthWatch, each of them with non-trivial direct savings opportunities. Most of these savings are based on a reduction of downtime or productivity loss due to performance degradation or infrastructure compromise, though some are more discrete in nature. A few specific examples are listed below.

Faster MTTx: The first challenge of any reactive situation is to get to the bottom of the issue and reduce the Mean Time To (MTT) complete a number of tasks.

First comes identification (MTTI), then diagnosis (MTTD), and finally actions to complete a restoration/repair (MTTR). The savings opportunities here are accelerating return to normal operations. The StealthWatch 6.0 release, with its logical grouping and Relational Flow Maps, is delivering significant improvements in MTTI and MTTD, improving both the top and bottom line of the overall cost of operations equation. With the intuitive nature of StealthWatch console interfaces such as the Relational Flow Maps, improvements in MTTR can also be realized by extending access to front-line IT service desk personnel, potentially improving first-call resolution rates – particularly valuable for the most critical resources and applications.

Extended MTBF: Extending Mean Time Between Failures (MTBF) is predominantly a means of protecting the top line, both in short- and long-term views, and is of particular concern for the most business critical applications and services. The new StealthWatch Relational Flow Maps represent precisely the kind of management technology that operations teams need for intelligent recognition of potential issues and when combined with advanced behavior analysis, put operators in an even more proactive position.