Intrusion Prevention Stopping New and Unknown Threats in RealTime

1
Intrusion PreventionStopping New and Unknown
Threats in Real-Time

• Ted Doty
• Director of Product Management
• 1 (781) 209-3214
• ted_at_okena.com

2
My Background

• 18 years in computer security field
• DoD, security industry
• Security Products Program Manager at Network
  Systems Corporation
• Interop 95 Best of Show for The Security Router
• Internet Scanner Product Manager at ISS
• Published in Computer Security Journal, Business
  Communications Review, Datamation

3
How Bad Is Computer Security?

• We Really Dont Know in Absolute Terms
• Difficult to quantify
• Attacks remain undetected
• Inconsistent incident reporting
• Lack of means of determining attacks
• It Appears to be Getting worse
• However you measure it (FBI, CERT, CSI)

4
Closer to HomeLog Analysis From Home DSL Gateway
Over a 3.5 Month Period)

• 29 days of UDP DDoS attacks
• Thousands on netbios udp probes (many may be
  misconfigured servers)
• Hundreds of UDP TCP probes of high-numbered
  ports (many well-known trojan ports)
• Many using spoofed or unregistered IP addresses
• Some source IPs correlated with a colleagues log
• Would be interesting to do on a larger scale
• Attacker motivations unknown

5
Rate of Vulnerabilities increasing Analysis From
Bugtraq archives, www.securityfocus.com

• 88 Vulnerabilities announced in 10/2001
• 31 vulnerabilities announced in one week (10/18
  10/25 2001)
• Average of 4.5 a day
• 9 in one day
• Compare to 11 announced in same week in 1997
• Average of 1.5 a day

6
Nobody is Immune

• SANS
• RSA
• Alternative Computer Technology (UK)
• All had motivation, resources, expertise to
  protect themselves

7
Why?

• Tightly coupled, complex systems
• Lots of expertise required to administer
• Time-consuming
• Existing tools are not totally effective
• Each type addresses only part of the problem
• Endless updates always chasing latest attack
• Operationally Expensive
• Most generate more work
• Only one vulnerability needs to exist

8
Security Myth 1Software Vendors Will Save Us

• Have you ever coded a product that was
  efficient and secure after being pushed for three
  days to meet a deadline? Don't you become
  somewhat exhausted and lazy, primarily because
  you want to sleep, no matter how much money
  you're going to be paid? There comes a point
  where caffeine just won't help you operate
  anymore and your health becomes more of a
  priority than a "higher-up"'s regime.
• Posted to Slashdot.com by Scoria on Tuesday
  October 02, _at_0557PM
• http//slashdot.org/article.pl?sid01/10/02/221120
  3modethread

9
Security Myth 2Software Engineering Will Save US

• Programming languages matter, but even more
  to the point, programming culture matters.
  It's the latter, even more than the former,
  that's given us, and will continue to give us, so
  much dangerous code. Until something makes it
  much more expensive than it is now to ship bad
  code -- and I believe that Mr. Baker is right,
  and the only thing that will do it is a few
• big liability judgments - nothing is likely to
  change.
• Posted to comp.risks by Jerrold Leichter on
  Monday, 7 Jan 2002
• http//catless.ncl.ac.uk/Risks/21.85.html

10
Security Myth 3User Education Will Save Us

• All passwords must be Unique
• Attachment Converted This_is_a_virus.doc
• Publish To The Web
• AIMster/Gnutella/Bearshare serving MS Office
  files
• Etc, ad infinitum

11
(No Transcript)
12
Bottom Line

• You can follow best practices and still get
  burned
• The next email worm gets past your AV system and
  a misconfigured (or old) Outlook client
• The next http-borne buffer overflow sails through
  your firewall, IDS, and content scanning systems
• An employee installs a Instant Messenger
  application, and sensitive documents tunnel out
  past the firewall via SSL
• The situation is getting worse, at an
  accelerating rate

13
How Can We Can Do Better?

• Attacks can occur through an increasing number of
  vectors
• Hard crunchy outside with soft chewy inside
  model is no longer reasonable
• Be aware of (and avoid) False Positive vs. False
  Negative Hobsons Choice
• First, consider whats common about many types of
  intrusions

14
Anatomy of an Attack
Target
15
Wish List For Better Technology

• Address each of the attack phases
• Recognize that a defense at any single phase may
  be inaccurate
• Prevent networked applications from being tricked
  into subverting the host
• Prevention should be effective against mutated
  attacks that do the same old thing
• Open and Customizable to prevent non-malicious
  but undesired activity
• Zero Update

16
StormWatch Stopping Attacks in Real-Time

• Host agent intercepts key internal system calls
  on server and desktop nodes
• File system, network, registry, COM objects, etc
• Makes allow/deny decisions based on
  application-centric policy criteria
• Dont let applications be tricked into malicious
  activity
• Disable valid but undesired functionality
• Correlates events on the host to eliminate
  non-malicious or non-suspicious alerts
• Correlates events on multiple nodes to detect and
  prevent attacks that might not otherwise be
  obvious

17
INCORE

• StormWatch is an application defense mechanism
  that invokes an allow/deny response through
  OKENAs proprietary INCORE Architecture
• INCOREINterceptCOrrelateRulesEngine

18
Centralized Management

• Centrally administered policies
• Autonomous, local enforcement
• Dynamic Correlation automates adaption
• Dynamic Correlation detects Low and Slow port
  scans
• Dynamic Correlation detects network worms
• Dynamic protection updated on the fly
• Allows administrators to focus on policy should/
  shouldnt, rather than care and feeding of agents

19
Useful Pre-configured Protection

• Email worm protection
• Generic Buffer Overflow prevention
• OS Lockdown
• Distributed Firewall (inbound and outbound)
• Desktop Active Content Sandbox
• Application-Specific control policies for
• IIS
• SQL Server
• DNS
• DHCP
• Desktop MS Office, Instant Messenging
  Applications

20
Customizable Policies

• To decide what a system shouldnt do, you have to
  know what it does
• StormFront builds application-specific
  StormWatch policy based on observed application
  behavior
• Policies are completely customizable by
  enterprise security administrator or security
  service provider

21
StormWatch Polymorphic NIMDA Demo

• Ioannis Bonias
• OKENA Development

22
Some Useful Reading

• Test Driving Satan, Doty, Internet Besieged,
  Denning and Denning, Addison-Wesley, 1998
• Hacking Exposed, 2nd edition, Scambray, et al,
  McGraw Hill, 2001
• Normal Accidents, Perrow, Princeton, 1999
• Fighting Computer Crime, Parker, Wiley, 1998
• Secrets Lies, Schneier, Wiley, 2000
• Bugtraq http//www.securityfocus.com/archive/1
• Risks Digest http//catless.ncl.ac.uk/Risks
• OKENA http//www.okena.com

23
Speakers Contact Information

• Ted Doty
• 781-209-3214
• ted_at_okena.com
• www.okena.com