Executive Summary
Today's enterprises face an increasingly menacing security environment due to the continual stream of advanced, targeted attacks and malware. To meet this challenge, businesses must implement multilayered defense systems that collaborate to proactively detect and respond to existing and emerging security threats. Cisco® offers an integrated solution designed to provide unparalleled control over network security and the defenses required to thwart today's more sophisticated attacks. This paper examines current security developments and explains how the Cisco Attack and Intrusion Protection Solution can play an important role in strengthening corporate network defense.
Challenge
In recent years, enterprises have been faced with the constant threat of financially motivated Internet attacks. According to Gartner1, Internet crime has risen rapidly since 2003, with hackers increasingly targeting specific businesses for financial gain. New regulations, such as the U.S. Federal Information Security Management Act and Sarbanes-Oxley Act of 2002, have added to the pressure on enterprises to tighten security by increasing requirements to continuously monitor, verify, and improve network defense.
It is growing more difficult for security administrators to stay ahead of rising threats. Hackers are becoming stealthier and their assaults are becoming more sophisticated. Where widespread attacks were once launched primarily to gain notoriety, financial gain has motivated hackers to develop new methods to infiltrate systems and compromise data of specific organizations.
Today's "new breed" of hacker initiates attacks through all entry points and looks for weaknesses in insecure laptops, VPNs, IP phones, e-mail, or instant messages. More sophisticated strategies such as phishing and pharming deceive users into divulging passwords, bank account information, and credit card numbers.
Moreover, attacks are becoming harder to track and eliminate. Hackers now respond more rapidly to publicly reported security vulnerabilities and can produce new variants within a few days, constantly altering their methods to avoid discovery. For example, one recent method used a three-stage attack with the first designed to defeat the latest antivirus software; the second to turn off PC defenses; and the third to turn the enterprise infrastructure into part of a larger "botnet" that could be used as part of a spamming network. In addition, many of the most dangerous methods take advantage of unknown or unpublished vulnerabilities, enabling them to render signature-based detection systems defenseless.
|
Hacker Landscape Presents New Perils for Corporations In recent years, hacker attacks have evolved from activities designed to create havoc to increasingly well-organized assaults for financial gain. Numerous reports in the news media highlight the growing threat and a "cybercriminal" population expanding throughout the world. For example:
• Zotob virus for credit card forgeries-The Zotob computer virus that infected organizations, including CNN, ABC News, the New York Times, Boeing, and the United States Department of Homeland Security, in an effort to facilitate credit card forgeries. FBI investigators believe that the creator of the virus was paid to code the worm and that he may have created more than 20 other viruses1. • "rxbot" trojan horse for financial gain-The rxbot trojan horse infected 400,000 computers with adware programs that netted its creator more than $60,000 from pay-per-click advertising software makers2. The alleged perpetrator was arrested in November 2005 on suspicion of compromising thousands of machines, including computers at the Weapons Division of the U.S. Naval Air Warfare Center and those belonging to the U.S. Department of Defense's Defense Information Systems Agency. • Custom-based trojan for corporate intelligence gain-Designers of a custom-based trojan horse are alleged to have created and distributed spyware aimed at corporate intelligence gathering and marketed the program to three private investigation firms. These firms then allegedly used the spyware to steal data from their clients' competitors. According to police, the program exploited operating system vulnerabilities using standard data capture methods, including keystroke logging, screen capture, and file transmissions. Police said this Trojan was planted via e-mail or a promotional computer disk supposedly sent to target companies by supposedly well-known and reliable business contact, according to reports. The newspaper reported that dozens of companies, including possible U.S. and European firms, may have been victimized3. |
The Corporate Cost of Internet Crime
In recent years, corporations have lost millions of dollars due to Internet crime. According to a 2006 "Computer Crime and Security Survey" by the Computer Security Institute and the San Francisco FBI's Computer Intrusion Squad, viruses, unauthorized access to information, and theft of laptops and mobile hardware posed the biggest security risks for corporations in 2005, accounting for nearly US$33 million in losses suffered by 313 respondents (Figure 1). Theft of proprietary information totaled more than $6 million. Moreover, publicly disclosed breaches have adversely affected corporate stock prices, according to a recent study by Colorado-based Enterprise Management Associates (EMA) and Australia-based Hydrasight. The October 2006 report, based on data from six U.S. companies that disclosed an information security breach between February 2005 and June 2006, showed that stocks fell by 2.4 to 8.5 percent below that of the date of disclosure and did not return to pre-incident levels for up to a year.
Figure 1. Corporate Losses by Type of Security Incident
Attempts to Solve the Problem
As a first attempt at defense, enterprises often implement point products such as intrusion detection systems (IDSs), firewalls, and anti-X technologies (antivirus, anti-spam, and anti-spyware). But such solutions provide limited protection. These products can do an effective job of identifying legitimate user traffic, blocking communications containing known threats and viruses, and identifying suspicious traffic with alert mechanisms. However, in order to avoid disrupting business communications, point products typically permit significant amounts of "gray-area" traffic (communications that are suspicious or potentially damaging but not necessarily harmful) to pass unimpeded (Figure 2). And eventually some of this traffic turns out to be more than merely suspicious.
Enterprises that deploy multiple point products often end up with a collection of security solutions from various vendors, each with its own architecture and user interface. Such a collection of products lacks the integration necessary to provide thorough protection. In addition, these point products may not be sophisticated enough to systematically inspect every security element, area, and device on the network.
Figure 2. Defining the Gray Area
IT managers who realize these deficiencies often deploy security information and event management solutions that help them view, measure, and manage threats. Such systems centrally aggregate security events and logs, analyze data using correlation and query methods, and generate alarms and reports on isolated events. However, many legacy security management systems lack sufficient network intelligence and performance to capture millions of raw events and then precisely isolate and validate correlated events, recognize new patterns and signatures, identify anomalies, pinpoint attack paths, and mitigate threats automatically and in real time.
Part of the problem is that these platforms also are often standalone products designed for managing other multiple standalone security systems such as various point products. But unless implemented as part of a larger, end-to-end system, security management solutions cannot examine and respond effectively to all threats and weaknesses across the network.
Lacking integration with the security infrastructure, these legacy solutions cannot thoroughly profile traffic and apply the information to multiple sessions to identify incidents across the network. Without such data, IT operators do not have the means to detect complex and emerging threats coming from multiple access points, classify them according to potential impact on the network and business, and take the appropriate defensive action. Though some operators try to solve this issue by manually evaluating reports and logs from the dozens of security systems throughout the network, the process of parsing data regarding millions of events and hundreds of devices generated by these systems is an impossible task. This problem is compounded by threats such as the SASSER.D worm, which in May 2004 was reported to have attacked a single organization 470,000 events per minute (7300 times per second) in an effort to crash the network.
Solution
Corporate IT departments require an intelligent, integrated solution that combines comprehensive security management with a multilayered network defense system. In such a solution, security elements must be embedded from end to end, in all network devices, servers, operating systems, and endpoints. With security integrated throughout the infrastructure, all management systems, enforcement points, and hosts can work collaboratively to proactively adapt and respond to emerging threats. In addition, this integration and intelligence enhances the ability to view all communications, activities, and incidents that take place on the network, improving the IT staff's power to make decisions. It also facilitates a level of automation, enabling network managers to reduce the time and effort required for certain administrative tasks, without hampering their control over network security.
The Cisco Attack and Intrusion Protection Solution
Cisco Systems addresses today's corporate security challenges with an integrated and layered defense model designed to counter vulnerability exploits and attacks (see Figure 3).
Figure 3. The Cisco Attack and Intrusion Protection Solution
The Cisco Attack and Intrusion Protection Solution is a key element of the Cisco Threat Control and Containment Solution. It protects all internal infrastructure components (including routers, switches, servers, PCs, and connections) and every ingress and egress point (including remote VPN branch offices, partner locations, and telecommuter remote-access links) from attacks and intrusions launched both internally and from external networks. Cisco threat control solutions help IT organizations proactively manage security threats and respond faster during events, minimizing costs and increasing productivity. The Cisco Threat Control and Containment Solution is a key component of the Cisco Self-Defending Network Solution, a comprehensive architecture that uses the network as the platform for security. This architecture includes five components critical to effective network security, shown in Figure 4.
Figure 4. Five Components Necessary for Effective Network Security
The Power of Integration
With security integrated tightly throughout the network, the Cisco Attack and Intrusion Protection Solution can detect hackers attempting to gain entry using a remote connection as a back door into the protected network. In addition, the solution provides early detection and threat visibility to help prevent attacks from infiltrating deeply into the network. An integrated management platform provides superior insight and control of the system, accelerating and simplifying the process of threat investigation and enabling IT operators to precisely identify, manage, and counter attacks.
End-to-End Protection
The Cisco Attack and Intrusion Protection Solution consists of a comprehensive management system that works in unison with a suite of host and network-based intrusion prevention software embedded in security hardware platforms and network elements and endpoints. Flexible and configurable monitoring, analysis, and response tools help identify and isolate security threats, and then recommend precise remedies to mitigate potential and verified incidents. The management component also helps maintain internal policy and regulatory compliance. High-performance software and hardware prevent malicious traffic such as worms, viruses, spyware, adware, and access abuse, and take pre-emptive action to plug holes in applications and operating systems.
Solution Components
The Cisco Attack and Intrusion Protection Solution has three core elements:
• Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS)-Provides the security threat management interface that translates raw network and security data into actionable intelligence
• Cisco Intrusion Prevention System (Cisco IPS) solutions-Protect network infrastructure and access systems
• Cisco Security Agent-Defends servers and desktops against targeted attacks, spyware, root kits, and day-zero attacks
Cisco Security MARS
This scalable, appliance-based system serves as the command and control center of the Cisco Attack and Intrusion Protection Solution. Working in collaboration with Cisco IPS solutions and Cisco Security Agents, Cisco Security MARS provides insight into the entire enterprise security environment and offers tools to assist management in pinpointing and removing offending elements.
Cisco Security MARS allows operators to gather data from Cisco and third-party network devices, enabling them to rapidly understand the details and nature of an attack. The system also transforms raw network and security event data from across the network into security and operations intelligence that can be used to take action. Using a powerful, interactive security management dashboard, network operators can view hotspots, incidents, and attack paths, enabling them to quickly centralize, prioritize, and mitigate threats. Advanced technologies analyze network topology to pinpoint affected devices and then automatically present commands necessary to stop or mitigate threats.
Cisco Security MARS includes numerous predefined reports to fulfill policy and regulatory compliance and an intuitive report generator that can be used to modify more than 150 standard reports or generate new reports for action and remediation plans, incident and network activity, security posture and auditing, and departmental reporting. The system also supports batch report processing and scheduled e-mail reporting. Cisco Security MARS comes in several appliance form factors, providing flexible deployment options according to the size of the network and the level of protection required.
Cisco IPS Solutions
Cisco IPS solutions protect the network infrastructure from malicious traffic before it affects the business. Cisco IPS Sensor Software performs deep-packet inspection on network traffic to effectively prevent and mitigate a wide range of attacks without compromising network performance. The software is integrated into Cisco IOS® Software-based routers equipped with the Intrusion Detection System Network Module; Cisco IPS 4200 Series sensors; Cisco Catalyst® 6500 Series Intrusion Detection System Services Modules (IDSM-2s); or Advanced Inspection and Prevention Security Services Module (AIP-SSM) cards for Cisco ASA 5500 Series Adaptive Security Appliances. In collaboration with other elements of the Cisco Attack and Intrusion Protection Solution, Cisco IPSs accurately identify, classify, and stop potential threats such as worms, spyware, adware, viruses, and application abuse in real time and without dropping legitimate traffic.
Cisco IPS solutions protect all network entry points and internal access infrastructure, including internally deployed VLANs, wireless networks, VPNs, partner links, and remote-access connections and endpoints, by intercepting and preventing internal and external attacks and successfully denying malicious traffic. In addition, Cisco IPSs:
• Collaborate with Cisco Security Agents to enhance visibility of traffic on endpoints for early threat identification
• Provide accurate inline prevention using technologies that offer intelligent, automated, contextual data analysis
• Use multivector threat identification to guard against policy violations, vulnerability and exploit-based attacks, and anomalous activity through detailed traffic inspection
• Prevent new attacks with the aid of a consistent signature database and customizable signatures that can be created and deployed while the Cisco IPS solution is still in service
Cisco provides a variety of IPS solutions for network environments of all sizes, from small and medium-sized businesses (SMBs) to branch offices, large enterprise locations, and managed security service provider (MSSP) installations. Combined with the Cisco Attack and Intrusion Protection Solution, Cisco IPS solutions offer complete prevention, providing the ability to detect and stop malicious traffic before it affects business continuity.
Cisco Security Agent
This Cisco solution protects servers and desktop computers by identifying and preventing threats before they affect applications and employee productivity and migrate to the network where they can cause further damage. Working together with other components of the Cisco Attack and Intrusion Protection Solution, the Cisco Security Agent automatically locates new and evolving attacks on endpoints without requiring reconfigurations or updates, reducing potentially complex and costly administration and maintenance. Using this solution, network managers can protect data flows of mission-critical applications during peak traffic times, reducing the chance that critical business will be disrupted.
The Cisco Security Agent protects servers and desktop computers by:
• Defending against targeted attacks, spyware, rootkits, and day-zero attacks
• Offering system integrity assurance and patch relief
• Ensuring availability of critical client-server applications and transactions
• Corporate and regulatory compliance policy enforcement for acceptable use policies, critical data protection, and removable media usage
The Cisco Security Agent solution consists of two main components: Cisco Security Agents (deployed on servers and desktop PCs) and the Cisco Security Agent Management Center for centralized administration of host-based agents. Using a Web browser, administrators can easily create, manage, and update security policies, monitor alerts, generate reports, and manage and deploy thousands of agents enterprisewide. By combining security policies, including distributed firewall, policy compliance enforcement, system integrity assurance, malicious mobile code protection, and audit event collection, the Cisco Security Agent provides in-depth protection for corporate servers and desktops.
Cisco Service and Support
Cisco and its partners provide a broad portfolio of end-to-end services and support based on proven security methodologies and best practices. These services can help enterprises effectively design, deploy, and manage threat control and containment systems, and integrate them into the organization's infrastructure and business processes.
Cisco Lifecycle Services for Security
The Cisco Lifecycle Services approach defines the activities required to help enterprises successfully deploy and operate Cisco technologies and optimize their performance. Using this approach, Cisco can help organizations lower operating costs, shorten implementation time, and reduce security threats. Cisco and its partners provide security services to address all aspects of deploying, operating, and optimizing a threat control system, including:
Assessment Services
Cisco uses an extensive range of expertise and methods to evaluate the network's ability to prevent, detect, and mitigate threats. Vulnerability assessments and security architecture reviews are offered to effectively identify vulnerabilities at the system and network level.
Planning and Design Services
Cisco and its partners assist in planning and designing a threat control system using in-depth, systemwide methodology and accepted industry standards. A strong design and integration plan can increase the effectiveness of threat control solutions, speeding their deployment while reducing overall integration costs.
Implementation Services
Cisco can help enterprises deploy, configure, and integrate new threat control systems into the network infrastructure. Multilayer defense is necessary, but may increase the complexity of managing network security and make it more difficult to identify and mitigate threats if not integrated effectively into the security infrastructure. Bringing sound network integration expertise to assist staff or a partner, Cisco can accelerate the successful implementation of the threat control solution.
Operate Services
Cisco can help organizations proactively manage their IT infrastructure by anticipating, identifying, and resolving issues quickly and accurately. A threat control system should include timely, accurate, and credible security intelligence combined with a threat correlation and alarm management system. Cisco provides a customizable, Web-based threat and vulnerability alert service that now supports Cisco IPS Sensor Software Version 6.0. To proactively manage the enterprise's threat control devices, Cisco also offers a Security Remote Management Service. Additionally, Cisco service and support can help organizations maintain network health through day-to-day operations by providing online technical support, telephone access to Cisco engineers, automated self-help tools, software updates and upgrades, and advance replacement of failed hardware.
Optimize Services
Cisco offers a comprehensive set of assessment services, advanced network support, and proactive consultations to help increase the performance of the network security infrastructure, improving overall operational efficiency.
Conclusion
The task of defending the network is becoming increasingly difficult as Internet crime grows and hackers become more sophisticated. Legacy security systems and standalone perimeter solutions offer neither the intelligence nor the integration with other network components to provide adequate defense. Businesses require a more comprehensive solution that provides the insight necessary to identify and stop today's more complex threats.
Cisco offers a complete hardware and management system consisting of Cisco Security MARS, Cisco IPS solutions, and the Cisco Security Agent. When used together, these elements enhance security while giving network operators more power to investigate and stop today's advanced threats. With the Cisco Attack and Intrusion Protection Solution implemented throughout the communications infrastructure, the ability to monitor, detect, analyze, and defend is greatly improved, enhancing network availability and employee productivity, and giving enterprises confidence that crucial business will remain uninterrupted.
1"Augment Security Processes to Deal with the Changing Internet Threat," John Pescatore, Gartner research report G00138147, March 2, 2006.