What’s in that code?

The difference with today’s security threats, says Robert Pregnell, regional product marketing manager at Symantec is that the bad guys are after the data not the device. He says this shows in the increased professionalism and commercialisation of malicious code. “It is obvious there are some very sophisticated people out there and they are using automated tools to develop an increasing number of sophisticated attacks.”

Pregnell throws some alarming figures around. Just shy of half a million unique variants in the last six months, up from around 200,000 for the previous six months. How about the last six months of 2007 when we saw more than 11,000 cross site scripting attacks up from just 2000 in the six months prior? But it’s not just the sheer numbers, its the sophistication of the code that is changing, says Pregnell. Attacks that focus on various Web vulnerabilities; browsers, media players, XML and AJAX Web interactions are not only proliferating, they are capable of morphing to avoid detection.

Today’s crimeware writers are not trying to disrupt your computer, they are crafting stealthy code that can go unnoticed until it achieves its goal of getting your credit card details, online banking login or whatever highly specific target it is after.

“If you take a step back and take a look at the whole virus landscape. If you look at the past 10 or so years, almost two thirds of the malicious code threats that we know about today were created in 2007,” says Pregnell.

“It’s frightening stuff for computer users from consumer to enterprise. It’s also scary for signature-based security product vendors. Security labs are deluged and struggling to keep up with the number of new signatures required to protect against an overwhelming explosion of automated, polymorphic malware,” he says.

“The AV vendors are getting to the limit of their capacity to keep up and the bad guys know that.”
It’s pretty well accepted now that traditional anti-virus products have lost round one to the malware writers. In fact, none of the traditional security measures are quite enough anymore. The preferred approach is to use multiple protections at multiple points in the network. You can’t just protect the perimeter and you can’t just protect the end points.
You can’t use just a single technology, but need a suite of solutions to tackle different problems at different places.

Michael Sentonas, director for sales engineering and services for McAfee agrees. “There’s a massive opportunity for solutions that provide maximum security but minimum management load,” he says. “That’s why there is a move to ‘best-of-suite’ type of approach. Users need to be able to deploy quickly and manage them effectively.”

Content Inspection

One of the hottest areas resellers need to bone up on is Web content inspection. There are nearly as many approaches to protecting against Web-borne threats as there are security companies offering solutions. They all have one thing in common, they no longer rely on simple URL filtering to keep the bad guys out.

In response to the increase in blended and zero day threats, vendors have begun delving deeper into the traffic entering or leaving the enterprise. More often than not they are looking for more than virus signatures.

Although still an essential part of the security mix, in the threat 2.0 world traditional anti-virus technologies are proving less effective because they are tuned to identify existing, recognised threats by checking for a signature match. Initially, heuristic approaches were used to catch new malware with some success, but the rising incidence of self-mutating malware is making signature scanning security solutions less successful.

To minimise the risk from blended threats and zero day exploits security professionals have increasingly used Web gateways with URL filtering to restrict access to specific Internet sites perceived to be a threat to either security or worker productivity.

The idea was to block access to obvious threat sites, such as P2P and pornography along with bandwidth and time wasting sites such as YouTube and MySpace. As the crimeware gangs responded this became less effective and had to be augmented to block a wider range of sites. All too often the malware would be on a site that wasn’t already blocked, so security vendors introduced various reputation services to help identify the moving feast of threat locations, sending updates to Web appliances regularly.

Such systems have become increasingly sophisticated and continue to scale. They are not merely reactive either. Websense, for example, just launched its ThreatSeeker network. Each and every hour this system scans more than 40 million websites, assigns more than 2 million new reputation scores and scans 10 million emails. On a daily basis, the ThreatSeeker network uses more than 50 million real-time data collecting systems to parse one billion pieces of content, it uses Honeyclients to mine and analyse more than 100 million websites daily and captures spam, phishing, or exploit campaigns with Honeypots and Spamtraps for more than 10 million unsolicited attacks daily.

More often security vendors are taking advantage of the processing power available in Web appliances to take a closer look inside the traffic moving in and out of the network. Some look at the packet level for threats, while others go the added step of examining a stream of packets to get a bigger picture of the content and even reassembling it to determine exactly what the code will do when it is executed.

Early into this type of approach is WatchGuard’s Layer Seven firewall products. Scott Robertson, A/NZ regional director for WatchGuard said application level scanning allows security administrators to disassemble a packet and inspect it for its characteristics before letting it on to the network.

The proxy architecture used means there is never any direct connection between end-points on the network and the outside world. In this way, if the data stream contains a get or post command for example, the administrator can pre-assign policies for how these should be handled.