Tools Help Fend Off New Net Attacks

By Maria Trombly | Securities Industry News | Nov. 18, 2002

In protecting the enterprise from ever-escalating assaults from hackers within and without, corporate security pros now have a new weapon-smart devices that can detect even never-before-seen attacks. Ever on the front line, financial firms, including the New York Mercantile Exchange, are among the early adopters of this new technology. One of the problems with traditional approaches to security-using lists of viruses and worms to screen incoming traffic-is that it only works after the threat has been identified and published.

This is known as a signature-based approach to intrusion detection. But the latest security appliances go beyond this, using clever new artificial intelligence algorithms to identify new threats and stop suspicious messages from getting inside a corporate network. (An appliance is a ready-to-go software-and-hardware combination that can be installed on the outermost edge of a company's network.)

It is hard to determine exactly what brokerage firms are experimenting with new technology-the vendors' Wall Street customers do not want to talk publicly about what security measures they have implemented, nor did the CIOs of a dozen firms contacted for this story.

Thomas McMahon, VP of technical engineering at Nymex, also declined to speak on the record about his company's use of the Cambridge, Mass.-based Mazu Networks' security appliance. However, a quote from him was available on the vendor's Web site. It reads: "Mazu Networks' proven effectiveness in minimizing the risk of disruption made them the clear choice to defend our commodities-trading services against [denial-of-service] attacks."

Gartner Group analyst Matt Easley calls Mazu's approach "conversation analysis," which is also known as anomaly detection. Mazu is only one of a number of start-ups offering conversation analysis appliances.

According to a recent comparison test by Network World, one of the best of these new products comes from San Jose-based IntruVert Networks. The start-up this spring unveiled its IntruShield, which combines standard signature-based intrusion detection, denial of service detection and the new anomaly detection techniques in one appliance.

Once up and running, the appliance learns what a company's normal traffic flow looks like, and catches anything out of the ordinary, said Raj Dhingra, IntruVert's vice president of marketing. "We develop a very good understanding of what the actual profile is of when someone is accessing a certain Web site or service," he said. "Then we use that profile to compare new traffic on an ongoing basis."

Once a suspicious message is detected, the IntruVert appliance can either issue a warning, or actually stop the message from entering the network, which is known as an "in-line" configuration.

"And that's actually what the financial services are looking for," Dhingra said. "An automated response." Four financial services firms are already customers, Dhingra said, including brokerage firms and credit card companies, although he declined to name them.

Mazu Networks, which recently won an Innovative Technology award from Computerworld, is also getting good reviews (besides from NYMEX) on how it analyzes traffic to detect malicious attacks on networks. Mazu helps companies guard against a particular variation on the standard denial-of-service (DOS) attack. What usually happens in a DOS is that a company is flooded with fake messages-so many, that it cannot process them all and business, in effect, shuts down.

"What customers are starting to realize is that the attacks that do the most damage are not bandwidth attacks," said Mazu CEO Jim Melvin. "They're surgical strikes against Achilles Heels. We're seeing a very sophisticated breed of attacker and they surgically go in and have a profound impact based on a relatively small bandwidth drain because they're hitting the right spot."

These potential weak spots include any part of the network infrastructure that can act as a bottleneck or is not scalable-including firewall devices, load balancing devices and routing devices, Melvin said.

Financial services firms seem particularly vulnerable, he said, because they are icons. "A lot of companies ask who's going to be the threat? Is it going to be Al Qaeda, Iraq-based, a college student or a delinquent teen-ager?'" said Melvin. "But that's not the point. The point is, if you have a vulnerability, someone is going to exploit it."

That someone can even be located within the company firewall, added Gartner's Easley. "Lots of attacks come from malicious activity on the inside," he said.

According to Stephen Northcutt, author of "Intrusion Detection" and an instructor at the Sans Institute, organizations have comparatively few sensing mechanisms within their networks. In fact, if a network was compromised from within, "you'd probably just think the network is slow," he said.

One way to approach this problem, he said, is to stop thinking of your internal network as one big safe zone. "Break up the network into internal zones, such as an HR zone and an accounting zone," he said. "Then each zone sees anything from any other zone as a possible threat."

Mazu's appliance, like those of its competitors, can be used within a network to monitor for unusual traffic. "We have quite a bit of pickup from financial services firms for this," Melvin said.

An internal attack-such as a denial of service attack-doesn't necessarily come from a disgruntled employee. For example, if a hacker develops a new kind of Trojan horse and is able to get it past a company's external security, it could stealthily lie in wait before launching an attack using a company's own servers against itself.

Harland LaVigne, president and CEO at Atlanta-based Lancope, which also makes intelligent security appliances, cautioned that with the approaching holiday season, companies should especially watch out for Trojan horses hidden inside attachments that pretend to be greeting cards, he said.

Many will be sending electronic cards to cut costs, he said. And employees, even those who are usually wary of opening attachments, will often make exceptions for cards. If the Trojan horse carried in the attachment is a new variety, it could easily slip under the radar screen.

"Signature-based software is dependent on an attack that's already happened," La -Vigne said. "There are companies that publish the signature of an attack, and appliances or host computers will be upgraded with the signature so that the next time an attack occurs, they will recognize that particular signature. Lancope itself is not signature-based. It runs on a series of statistical analysis and algorithms instead of a static database. So it's more effective against mutated, unknown or encrypted attacks."

LaVigne said his product is meant to work together with appliances such as those from Mazu. However, experts warn that these appliances can only do so much and financial services firms must continue to be proactive in identifying and patching their security vulnerabilities.