Security weapons to fight the next malware war

Behavioral analysis, app IDs, and data encryption will figure prominently in defending networks against future attacks

The shift from frontal assaults on enterprise networks to insider threats such as rootkits, Trojans, and bots signals big changes in IT security. Here are a few of the technologies that will play an important role in the years to come:

Strong authentication: From online banking to remote-worker VPN sessions, the days of the user name and password are numbered. Increasingly, organizations are turning to stronger, multi-factor solutions such as RSA SecurID tokens, Smart Cards, and biometric devices. Stronger authentication is also being driven by the U.S. government, which is responding to Homeland Security Presidential Directive 12, which mandates a governmentwide identification verification system for both physical and logical access. Smelling government largess, vendors of all stripes, including Cisco, RSA, and others, are now pushing out unified physical and logical access products.

Data encryption: No one needs to remind us that there’s lots of data stored on the laptops we carry wherever we go. Still, organizations such as the Department of Veterans Affairs, Ernst & Young, and others have been shocked to learn that sensitive data was allowed out unprotected. With stringent laws governing sensitive customer data, and 81 percent of companies in a recent Ponemon Institute poll saying they’d lost one or more laptops containing such data, enterprises are taking a hard look at data encryption technology. “How to protect data is a whole different story for organizations,” says Kerry Bailey, senior vice president of global services at Cybertrust. “There’s no perimeter. It’s like protecting the President — you’ve got to protect him where he goes.”

Application IDs: In the old days, there were a few thousand known computer threats. They kept computer security researchers busy developing unique signatures, so that anti-virus programs could spot each one should it try to infect a computer their product protected. These days, the job is a bit harder, with 200,000 pieces of malicious code officially logged — especially when 100,000 of those have appeared in just the past two years, after taking 18 years to reach the 100,000 mark, according to McAfee’s AVERT Labs. With so many new, rapidly morphing threats, some in the security community are thinking it might be smarter to just focus on the code you do want to run, rather than trying to filter out the stuff you don’t. Microsoft is looking closely at developing an application identity architecture for future versions of Windows. Application IDs will be cryptographic signatures based on an executable and its supporting files. Products from companies such as Bit9 already allow administrators to lock down desktops to all but approved applications — an increasingly attractive proposition for networks with click-happy users and besieged admins.

Behavioral analysis: It’s a fact: Compromised enterprise systems are now a traded commodity in cybercrime circles. What does that mean? For one thing, it means attackers might not look or act much like attackers when they get on your network. In fact, the chances are they’ll look a lot like your employee, with a valid user name and password and not much noisy scanning or rooting about to betray them. For enterprise IT managers, that means being able to bring different tools to bear in spotting attacks that may move low and slow. Security companies across the board are moving beyond signatures, building security rules that are more flexible and rooted in an understanding of “typical” network behavior. That might mean taking note of discrepancies in the systems that are being used to access a network, spotting suspicious patterns of log-in failures, or noting attempts to reconnoiter network resources after successful log-in.

Intelligence systems: Increasingly, stopping threats on your network requires an understanding of what’s going on in the Internet underworld, where new and novel exploits are discovered, sold, and launched with little fanfare, but devastating results. Security companies such as Trend Micro are already monitoring IRC channels where botnets are leased out and managed to try to get a step ahead of attackers, whereas companies such as RSA — now part of EMC — bet big on technology from Cyota that monitors the fast-moving phishing underworld. Going forward, intelligence about online threats is going to play an even bigger role in prevention, as companies move to Web-based applications that, by definition, get a free pass through network firewalls, according to Roger Thompson of Exploit Prevention Labs, a startup that monitors and prevents exploit code. Larger security firms, companies that manage large populations of systems such as ISPs, and managed security vendors are in the best position to benefit from that shift because they can spot threats earlier and respond to them, says Bruce Schneier, CTO of Counterpane. “The benefit of the network is that you can build an immune system and immediately innoculate against attacks.”