The security challenges facing today’s enterprise networks are intensifying — both in frequency and number. The Blaster worm arrived just 26 days after Microsoft disclosed an RPC DCOM Windows flaw and released a patch for vulnerable systems. The worm took advantage of what some security experts have called the most widespread Windows flaw ever. For a time, Blaster was infecting as many as 2,500 computers per hour.
One thing is becoming unmistakably clear: Time is no longer on our side. As an indication of just how much the environment has changed, consider that the far-reaching Nimda and Slammer worms had vulnerability threat windows of many months, leaving plenty of time for the vendor of the vulnerable software to create a patch and warn the public, reducing potential threat damage. A study conducted by Qualys and released in July, that correlated nearly 1.5 million scans over the course of a year and a half found that 80 percent of exploits are released within 60 days of a vulnerability’s announcement. Security specialists often speak of the “vulnerability threat window,” or the time between the discovery of a vulnerability and an exploit of that vulnerability by a specific threat. Blaster, as we have seen, arrived just weeks after Microsoft announced the RPC DCOM vulnerability, leaving little time for administrators to secure their networks.
I’ve observed that today’s attacks are not only becoming more frequent, they are also becoming more complex, including polymorphic viruses, mass mailers, denial of service (DoS), and blended threats. Moreover, as enterprises continue to adopt new technologies (such as wireless and peer-to-peer networks, instant messaging, and broadband, to name just a few) and conduct more and more critical business functions online, they offer even more targets to attackers.
In such an environment, where attacks are becoming more frequent and more sophisticated, what steps can enterprises take to ensure business continuity? Increasingly, these organizations are considering implementing an early warning system.
Scanning the globe
An early warning system enables an organization to protect itself against approaching threats before they can affect operations. In cases where attacks are already under way, an early warning system can then provide a mitigation strategy.
At the physical level, an early warning system relies on a worldwide network of firewall and intrusion-detection systems — maintained by thousands of data partners — to aggregate and correlate attack data.
An early warning system can also look at events targeting a specific vertical industry. This information helps targeted industries better prepare for and prevent possible attacks.
Before an attack. An early warning service delivers notification of vulnerabilities and exploits as they are identified, providing information to help users mitigate a vulnerability before it is exploited. The system’s analysts monitor potential threats across thousands of products and draw upon information from a plethora of authoritative sources. Analysts provide information not only about the vulnerability, but also about best-practices countermeasures to keep systems protected. A detailed analysis should be provided in each alert and update, describing its severity and potential impact, technical makeup, the systems that might be affected, available patches or workarounds, and comprehensive mitigation strategies.
During an attack. An early warning system also provides warning of attacks that are under way. With personalized notification triggers and expert analysis, the system enables enterprises to prioritise IT resources in order to better protect critical information assets against attack. Using statistically reliable attack information, an early warning system must deliver automated, prioritised notifications. Patches, countermeasures, workarounds, and additional references are also provided.
The bottom line: an early warning system is vital in light of today’s increasingly sophisticated threats, which demand superior response capabilities.
Getting the word out on Blaster and Slammer
Recent events underscore the value of early warning systems’ response to cyber attacks. For example, it was an early warning system that alerted customers in July to the RPC DCOM Windows vulnerability and the patch from Microsoft. By continuing to monitor global attack activity, early warning systems were able to issue additional alerts as activity levels rose. (For example, an intrusion-detection signature that protected against this kind of attack was released.) The vulnerability eventually resulted in the Blaster worm, which began spreading in earnest on August 11. In between the vulnerability announcement and the worm, the threat increased daily as the new tools to exploit the vulnerability were publicly disclosed, as we saw above.
In January, it was an early warning system that first picked up the fast-moving Slammer worm, which doubled its infection rate every 8.5 seconds in its early stages and wreaked an estimated $1 billion in lost productivity. Automatic analysis of sensor-generated data identified Slammer as a global threat. Customers were notified of the threat and were advised to block traffic on the targeted port. Additional alerts were issued when further analysis pinpointed the threat as a worm, when the vulnerability that Slammer targeted was identified, and when patches that eliminated the vulnerability were available.
A federal case
The private sector isn’t alone in taking a closer look at early warning systems. The federal government has been active in this area as well. For example, the U.S. Department of Defense’s Computer Emergency Response Team (DOD-CERT) now uses Symantec’s early warning system to provide real-time threat and vulnerability intelligence reports that complement its internal early warning capabilities and provide a view of global security vulnerabilities and threat activity. The agency receives custom intelligence updates from the system, which aggregates attack data from 20,000 partners, including multiple vendors’ intrusion detection and firewall products, in more than 180 countries. The system provides the DOD-CERT with early warning notification from the industry’s largest vulnerability database tracking more than 18,000 product versions from more than 2,200 vendors. The DOD-CERT receives actionable threat and vulnerability alerts via email.
The U.S. Department of Homeland Security, meanwhile, is setting up an early warning system for Internet security alerts. The Global Early Warning Information System (or GEWIS) is intended to act as a kind of central hub that monitors sensitive areas of the Internet and alerts Department of Homeland Security officials to suspicious activity. For example, officials said it could be used to help the department monitor unusual numbers of domain name lookups and requests to authenticate digital certificates as possible precursors to an electronic attack.
Defending against today and tomorrow’s numerous and rapidly moving security threats requires new, proactive technologies. Maintaining the status quo is no longer an option. By providing early warning of cyber attacks, and countermeasures to prevent attacks before they occur, early warning systems are destined to play a key role in ensuring that enterprises and the government stay ahead of those threats.