White paper
February 2010
By Tyson Macaulay
Security Liaison Officer, Bell
Introduction
In coming years, malware and resulting botnets will continue to present significant threats to online services, financial transactions and profits, privacy and compliance, industrial systems and safety, and to confidentiality, integrity and system availability. These threats cannot be sufficiently addressed by the legacy perimeter-based security designs that start at the enterprise edge and face inwards.
To effectively manage in today's cyber-threat landscape, organizations must proactively manage risks that lie beyond the network perimeter in order to protect information assets, ensure business continuity, support regulatory compliance, preserve reputation and brand, and manage market risk. This entails an approach that starts upstream at the carrier level.
This is not a new concept, but it is newly relevant. What is novel today is the realization that continued investment in legacy security designs has passed the point of diminishing returns. At the same time, security design that includes carrier-based upstream capabilities is an efficient, effective and needed evolution.
The purpose of this white paper is to provide a better understanding of the global threat landscape and provide insights into how upstream security should form an integral part of security and risk management posture. It provides an overview of:
- The global cyber security threat landscape and its impact on your organization
- The difference between traditional perimeter security and upstream security
- How carrier grade intelligence can help secure an enterprise
- What organizations can do now to reduce and manage risk
Today's threat landscape
The latest technical risks are largely related to the new breed of malware that is designed and distributed for reasons that range from criminal profit to state-sponsored spying or terrorism and sabotage. This highly sophisticated malware increasingly passes undetected through firewalls, intrusion detection services and anti-virus systems. In some cases these controls stop less than 20 percent of known viruses1; and in all cases they are virtually impotent against new ‘zero-day' vulnerabilities.
As a result, the problem has escalated to the board level, since these vulnerabilities can have an impact on such issues as compliance, liability, reputation and brand, cost of capital, and more directly than we imagine, profit and loss.
Vulnerabilities can compromise an organization's ability to comply with legislation relating to the protection of personal information and sensitive corporate data for example, leading to harsh and costly disciplinary measures. An attack on a network-based infrastructure can also compromise industrial controls or a facility management infrastructure (e.g. HVAC, fire systems, etc.).
Businesses can lose customers and revenues if they fail to properly protect information and network resources. Security deficiencies can also undermine consumer trust in self-service delivery vehicles, as well as affect an enterprise's stock ratings and/or financial performance.
Ultimately the cost of not securing a network probably can drive an enterprise out of business.
Traditional security passing the point of diminishing returns
Investments in security solutions are rapidly approaching the point of diminishing returns for many enterprises today. Studies show that spending on infrastructure security is expected to increase 10 percent annually between 2008 and 20122. While this indicates the awareness of the need to invest in security, at the same time, enterprises are finding it increasingly difficult and costly to address the escalating complexity of today's security infrastructures.
That is in large part because enterprise networks are quickly turning into a complex maze of security elements and services as managers continue to connect and maintain ad-hoc hardware and software solutions. Beyond the hardware and software investments, administration costs increase with each security device that is added to the network, and more human resources are required to maintain the status quo.
As technical threats evolve therefore, management teams must consider new ways to counter risk and learn to think beyond the confines of internal risk management. An integral part of security strategies moving forward is the concept of upstream security. In fact, upstream security will soon be as much of a standard in security architecture as firewalls are now.
An efficient supplement to traditional security design: Upstream security, a proactive approach to cyber defence
Upstream security is a layer of carrier-identified threats, controls and safeguards available beyond the organizational perimeter, in the carrier network or ‘open Internet'. Once considered a “no-man's land” in the security picture, upstream security resources can be leveraged to increase the efficiency and effectiveness of any enterprise security program.
Upstream security offers a variety of carrier-level services such as unique analysis capabilities that have traditionally been the exclusive realm of the largest telecom service providers. These services differ from traditional, signature-based security services because they proactively assess threats based on massively aggregated traffic patterns. These patterns in isolation would otherwise be considered benign when viewed at the device or even the enterprise level.
At the highest level, upstream security can be considered as two distinct service classes: proactive and reactive. The proactive service acts as a new layer for discovering threats and risks prior to reaching the enterprise perimeter. While proactive upstream security functions in a similar way to perimeter security technologies like firewalls and mail filters, it differs in that it lies within the service-provider network rather than on or within the enterprise perimeter.
Reactive upstream security is a response-driven security layer that intercedes and mitigates ongoing attacks and reverse engineering threats, as well as performs forensic analyses and post-mortems. This type of upstream security is typically handled by the computer incident response team (CIRT). However, less sophisticated enterprises may simply apply ad hoc remedies at the time of an attack.
Following is an overview of how typical carrier network capabilities can be effectively used to create additional layers of security to face the ever-increasing variety and effectiveness of Internet-based threats.
Layered security – the old and the new
Before delving into the upstream security picture, it is first essential to understand the evolution of layered security. Layered security is a fundamental concept that involves the establishment of multiple layers of distinct security controls: for instance, perimeter firewalls backed by intrusion detection backed by anti-virus systems backed by access controls.
If the first (outermost) layer is breached, the threat agent is then immediately confronted by a new security layer that is independent of the compromised layer. This layered approach applies to both physical and logical (IT) security, and while commonly understood is not always employed.
Figure 1 shows a traditional implementation of layered security, and Table 1 describes how each element contributes to the defence of a network.
Figure 1: Typical layered enterprise security architecture
Table 1: Typical organizational security layers
| Layer | Function |
|---|---|
| Security router | Discards the most typical types of attack-packet, such as port sweeps and scans |
| Outer firewall | Protocol filtering of traffic |
| Inner firewall | Segregates DMZs (demilitarized zones) for public-facing network services such as SMTP (email) anti-virus and anti-spam services, DNS (domain name service), Web services, VPN services |
| Physically distinct firewall | Separates the DMZ devices from internal information servers to which the DMZ devices refer for database services |
| Proxy service | Secures and monitors outbound traffic from internal sources |
| Network access controls | Controls access for all devices seeking to physically connect to the internal network |
| Network IDS and IPS devices | Intrusion detection services (IDS) based on known malware signatures. Intrusion prevention services (IPS) based on anomaly detection. |
| Host-based anti-virus, firewall and IDS | Loaded on every desktop and computer server in the organization |
| User login and credentials services | Access control |
While this is effective to a point, it fails to bring the additional tools needed to deal with today's more sophisticated threat landscape, such as aggregated traffic pattern analysis and proactive threat assessment.
Upstream security can be used to apply an additional security layer deployed in the carrier network. Figure 2 shows an upstream security layer in relation to a traditional security architecture. The accompanying Table 2 summarizes the different carrier grade intelligence gathering capabilities and their deployment as proactive or reactive security controls.
Figure 2: Upstream security architecture
Table 2: Summary of upstream security elements
| Upstream security | |||
|---|---|---|---|
| Source | Summary | Proactive | Reactive |
| Traffic flow analysis | Analysis of national-level traffic patterns that reveal suspicious communications paths and data flows to malicious or compromised IPs and access network systems (ASNs) or rogue connections | X | X |
| Infrastructure drop lists | Router drop lists are applied to diverse ingress/egress points from alternate service providers | X | |
| DNS analysis | Domain name lookup statistics and logs reveal incongruous matches between IP addresses and domain names (pharming) and command and control communication paths | X | X |
| Messaging analysis | Spam and phishing attacks crossing or leaving the carrier network reveal IPs of compromised devices acting as spam relays and engines | X | X |
| P2P analysis | File sharing traffic indicates violations of enterprise acceptable use, data leakage, command and control communications | X | |
Figure 3 depicts the different information collection elements that make up carrier-identified threats and enable upstream security services.
Figure 3: Upstream security capabilities
Leveraging upstream security today
Upstream security is not a standalone solution. Rather, it is made up of a wide range of carrier-grade infrastructure elements that can be selected based on an organization's specific security policies and needs.
While upstream security can be implemented in a number of ways, here are four common examples:
- Botnet detection – uses traffic flow intelligence to mitigate the potential risk of infection
- DDOS (distributed denial of service) prevention – leverages traffic flow intelligence to detect DDOS attacks in their early stages and minimize their overall impact
- Unauthorized network connection management – uses message and DNS analysis to detect and prevent unauthorized and uncontrolled network connections
- Improved on-line authentication services – applies fourth-factor authentication for an added layer of protection from unauthorized access
Botnet detection with traffic flow intelligence
Botnets generated by malware are becoming alarmingly frequent because the communication paths can remain undetected for extended periods. Traffic flow analysis, as shown in Figure 4, can be applied with great effect as a mitigating control for zero-day malware compromises. The carrier network can detect devices that have been infected with new or unknown forms of malware, and issue alerts to enterprise response teams for follow-up on the internal network. The same intelligence can be replicated inside the enterprise network for blacklists inside IDS and IPS services in order to alert administrators if any internal devices attempt to communicate with the known bad or suspected IP addresses.
Figure 4: Botnet detection using traffic flow analysis
DDOS mitigation with traffic flow intelligence
DDOS attacks pit the combined force of potentially millions of compromised devices against an enterprise. Using traffic flow intelligence, a carrier network can detect a potential DDOS attack at its earliest stages. It can then route the traffic from the attack to “scrubbing centres”, while allowing legitimate traffic to be routed to its targeted host or domain. This is highly effective in ensuring that DDOS attacks are unable to converge on their targets or pose an immediate threat to the enterprise network.
Figure 5: DDOS mitigation using traffic flow analysis
Unapproved connection detection
Large organizations with many geographic locations can find it challenging to detect and prevent unauthorized and uncontrolled network connections. These network access points can present lethal backdoor threats to the enterprise as a whole, as illustrated in Figure 6 (refer toTable 3 for an explanation of the labels). Carrier networks can apply advanced analysis tools to monitor for messages from unauthorized IP addresses. DNS analysis can similarly reveal domain names that are resolving to unauthorized IP addresses.
Figure 6: Rogue connection detection using message and DNS analysis
Table 3: Rogue connection detection labels
| Label | Nature of unapproved/unofficial network connection |
|---|---|
| A | Line of business (LOB) programs and applications at HQ employ undesignated network connections for service delivery |
| B | Departments or offices employing undesignated network connections for service delivery, speed/redundancy and/or legacy reasons |
| C | Regional locations not on an enterprise WAN backbone and using undesignated connections for primary HQ interface and service delivery |
| D | LOB uses undesignated network connections for primary interface to the entire enterprise and for service delivery |
Fourth factor authentication
Online businesses are continually augmenting their online authentication technologies, but continue to be thwarted by sophisticated malware threats. Many typically employ a user ID plus a second factor, which is typically a password, random number tokens or biometrics.
This is not enough to counter newer threats such as zero-day malware and resulting botnets. These sophisticated attacks employ techniques that can capture multiple factors of authentication information. As a result, they have become adept at circumventing even three-factor authentication systems.
Carrier grade intelligence can apply fourth factor authentication, by aggregating information from drop lists, messaging analysis, traffic flow analysis and DNS logging in order to establish what a device has been doing (e.g. communicating with known bad IP addresses and access service networks). This additional authentication layer enables online businesses to reduce risk and enhance their authentication escalation decisions.
Figure 7: Fourth factor authentication for detecting device activity
One-time versus managed upstream services
As a leader in upstream security, Bell has developed a wide selection of upstream security and carrier threat intelligence capabilities for enterprise operations. These can be provided as one time professional services engagements for in-house deployments, or as a managed service, including around-the-clock monitoring and analysis. Our upstream security capabilities complement a full range of security services, including incident response, vulnerability assessments, security planning and audits, among others.
Conclusion
Upstream security offers the potential to increase the security and assurance of organizations, while reducing operational costs. The resource demands associated with internal security infrastructure under siege can be controlled and reduced, since the flow of illicit data can be stopped before it reaches organizational systems. As a result, organizations can allocate more resources to other priority areas and reduce overall risk.
How Bell can help
Bell is a leader in security research and solution implementation. We have an extensive security offering which includes professional services, managed services as well as strategic industry partnerships for product deployment.
As a carrier, we have a unique capability to proactively detect threats before they reach your network perimeter, enabling the evolution of a new security layer that is proactive and intuitive. Having assisted some of Canada's largest organizations within the public and private sectors with security and risk management implementations of all sizes, we bring unparalleled expertise and experience to the market.
With more than 300 experienced and accredited security professionals, having an average of 17 years experience, Bell has one of the largest security practices in Canada.
If you are considering a more proactive security defence mechanism to combat the evolving cyber threat landscape, Bell can provide an alternate solution to the tradition Network Perimeter defence solutions to ensure your organization, infrastructure and data are secure from malicious activity. We can provide a clear picture of the business benefits and anticipated results of this service. To that end, we can make use of our proven methodology to develop an effective proactive security strategy specific to your business.
For more information visit bell.ca/enterprise, or request to be contacted by a Bell representative at bell.ca/contact-me.
About the author
Tyson Macaulay is a Security Liaison Officer for Bell. In this role, he is responsible for technical and operational risk management solutions for Bell's largest enterprise clients. Tyson also supports the development of engineering and security standards through the Professional Engineers of Ontario and the International Standards Organization (ISO) SC 27 committee.