Pakhnyushchyy - Fotolia
Published: 01 Aug 2014
It's 3 a.m. The network authenticates the credentials of an employee who typically works 9 to 5. The user transfers data from a folder containing payroll files with employees' bank account numbers.
Has your network just been hacked?
Based on the log data, your legacy network security system sees no reason to sound an alarm. The credentials were legitimate and there was no evidence of brute force. No activity matched any known attack signatures.
But what your system didn't know is the credentials assigned to this user belong to an employee in the marketing department, and while the user shouldn't have access to payroll files -- let alone the ability to transfer them -- this person somehow got into them. This user also typically accesses the network using a device with a different MAC address, and the IP address attached to this transaction came from the Philippines -- not the U.S. city where this employee works.
In the era of advanced persistent threats (APTs) and other targeted attacks, a network security strategy that doesn't adapt its policies according to this kind of information about identity, behavior, applications, devices and data has holes in its defense.
Welcome to security nirvana: context-aware security. It's a concept that embodies those functions, and while it was buzzword fodder not too long ago, context-aware security is now a reality. Most network security vendors ship products using some form of it. Yet as the need for greater context grows and the technology to enable it marches forward, efforts to implement a context-based approach often stall due to operational challenges.
Enterprises need a more adaptive and context-aware approach to network security, but many haven't done the legwork around identity access management and asset management that such an approach would need to succeed, says Michele Chubirka, a security architect and engineer for a large nonprofit.
"If you're going to do context-aware security … those are the sprinkles on the doughnut. If you don't have a doughnut, why are you looking at the sprinkles?" says Chubirka, also a well-known blogger who goes by the alias Mrs. Y. "I think the concept is really good. But the problem with context-aware security is that in implementation -- in practice -- it usually falls short."
Next-generation firewalls and intrusion detection systems (IDSes) typically "do meet the spirit of what's been defined as context-aware security," but the reality is that manually creating such granular policies is still too labor intensive for many enterprises, according to Mike Rothman, president and principal analyst at Securosis, an independent information security research firm.
"Have the vendors met the need? Well, that's tough to say," he says. "I think the products do what they're supposed to do. Obviously, there's always [a path to] maturity, and they're still a reasonably new type of product, so there are always going to be some warts. But I think more of the constraint tends to be on the customer's ability to actually implement and maintain that kind of granular policy on an ongoing basis."
But while context-aware security is far from perfect, many also contend it's essential to protect networks today.
"The threats are very dynamic. They are targeting applications, but they're also targeting the end user," says Paul Carugati, senior manager of information security solutions at Motorola Solutions, where he uses a context-based approach to run the company's cyberdefense program. "I need to have an understanding of who the user is, where they're coming in from, where they're trying to go and what application they're using."
Traditional approaches to network security haven't kept up with the need for such analysis, Rothman says.
"I think the idea [of contextual awareness] remains strong and very effective because just having a generic set of network security policies isn't overly helpful," he says. "You've got a lot of complicated factors that make the old ways we used to do network security -- whether it's looking for signatures on your IDS or IPS, or trying to enforce access control using ports and protocols -- not really sufficient for what we need to do today to [combat] the kind of adversaries we're dealing with."
Neil MacDonald, a vice president and distinguished analyst at Gartner, says this is where a context-based approach shines.
"The more advanced, targeted attacks are really, really hard to detect. We don't have a signature, or we don't have a rule to block them, so therefore the only way to find them is by identifying anomalous behavior," MacDonald says. "Context helps you separate the signal from the noise."
Context is not a product
Skeptics view context-aware security as a gussied-up version of network access control or unified threat management, while others consider it an outgrowth of security information management (SIM). But there is one thing everyone agrees on: True context-aware security is not a product.
"You don't buy context," MacDonald says. "It's a feature that makes security products better."
Despite having no standard definition of context-aware security, the industry generally agrees on this: It's a mechanism for applying granular, dynamic security policies based on a real-time analysis of supplemental information about identity, location, behavior, applications, devices, data and more. There are internal sources of context, like information about a user's location and role, as well as external sources, which may include the reputation of a website the user is trying to reach. Those contextual factors are assessed based on their relationship to a baseline of normal or acceptable use.
"Context is really what you strive for in order to build intelligence. Otherwise, it's really a random set of data points," says Scott Gainey, vice president of product marketing and programs at firewall vendor Palo Alto Networks.
But it is worth noting, Chubirka contends, that hackers can spoof many of the identifiers used for obtaining context, including IP addresses, MAC addresses or user-agent strings. Acknowledging this is true, another expert counters that context is also not a zero-sum game.
"You can spoof IP addresses and do something with geolocation. I mean, you can spoof time of day. But what we're trying to do is come up with a series of factors so that we can take four, five, six or seven factors … and compare them to the importance of the transaction," says Frank Dickson, industry principal of network security research at Frost & Sullivan. "It's not perfect, but we're trying to use these as a ‘basket' [of context] to improve security overall."
Connecting the dots
Someone logging in at night and transferring a large file might not represent an anomaly -- unless it's known that the file contains sensitive data and the user shouldn't have access to it.
"These are all of the different points on the connect-the-dots page. I need all of these dots together to help me starting painting the picture," Carugati says. "One or two of these dots isn't going to give me enough information to be able to take a step back and see what the [big] picture looks like. That's how I view contextual awareness aiding the fight in both the short-term and long-term approach to enterprise security management."
Plotting out those "dots" is where technology comes in. To enhance the sources of external context they provide, several vendors recently partnered to expand their intelligence marketplaces, which provide subscription services with updates on the latest threats, says Gartner's MacDonald.
"Most of them integrated with these third-party reputation feeds for things like command and control and known bad IP addresses, but there was no standard for the exchange of context, so they tended to be proprietary," he says. "Most vendors are now talking about ecosystems, so you don't have to depend solely on the vendor for this type of information."
Last fall, Check Point announced its ThreatCloud IntelliStore ecosystem, naming several independent partners. Palo Alto and Fortinet co-founded cyberconsortium.org, which the companies hope to develop into a broader ecosystem of vendors sharing threat intelligence.
To mine sources of internal context, Cisco Systems' Identity Services Engine (ISE), a network security policy management and control platform, can pull in contextual data from Active Directory and third-party mobile device management platforms. It pushes that information to other security appliances or network devices via a framework called pxGrid, says Scott Harrell, vice president of product management for Cisco's security product line.
"It allows you to have a context directory on your network that all your other devices can consume from, rather than having to connect every single one of these devices to all of those different pieces of context," he says.
Context doesn't come easy
But here lies the problem: Few organizations have environments like Active Directory or LDAP trees built out enough to take advantage of such approaches, Chubirka says.
"Don't get me wrong; I want to see it. I want to see [software-defined networking] dynamically shift the network based on an attack scenario," she says. "I hate to be all skeptical about it, but I think that the problems in security are not going to be solved by a buzzword. It's not going to be solved by some product. It's rolling up your sleeves and, first of all, organizations doing the rather unsexy work of user and data classification, of building good and solid best practices, and making sure you have the documentation and architecture."
Even among enterprises that have done this, not many network security teams are equipped to handle "the complexity of the care and feeding that's involved in really keeping those policies up to date" in a context-based system, says Securosis' Rothman.
"You actually have to have the real context at that very moment, and that's a dynamic thing," he says. "You can build a scenario where you're always kind of behind in developing and implementing those policies because business is changing faster than you can evolve your policies."
That's not to say it can't be done. Carugati has a context-based security strategy at Motorola Solutions, using a combination of homegrown technology and Palo Alto's application-aware firewalls, as well as several of its security subscription services. Contextual intelligence has helped him catch several attacks as they happened and identify others post infection.
"Either the user's application is outside of their current scope or standard behavior pattern, or their location data -- where they're coming from -- is outside of their standard pattern," he says.
But Carugati also acknowledges those interventions depend on granular directories and policies.
"We have a very, very robust and detailed data classification policy and schema," he says. "We do have a user-classification policy as well. It's not built out as well as I would like it, but it definitely addresses the [goal] of understanding the role that the users play so that you can understand behaviors that they should take and to help you make an informed decision."
Until vendors are able to better automate that process, enterprises that don't have these things in place should proceed with caution, according to Rothman.
"If you have a hard time with typical, traditional ports and protocols policies, you're going to have a really hard time with application policies or anything based upon identity," he says. "Without a pretty mature program and the ability to not just define and implement but also maintain and tune those policies over time, you're setting yourself up for failure."