Learn Here, Protect There

Transcription

1 Predictive protection through global threat intelligence

2 Table of Contents Introduction 3 The Cyberthreat Landscape 4 The Research and Response Landscape 4 Inside Predictive Protection: Global Threat Intelligence 5 One: Millions of sensors throughout the internet 5 Two: Content analysis across all threat vectors 6 Three: Integrated reputation-based intelligence 6 Four: Real-time threat collection and distribution 7 Five: Complete suite of endpoint and network protections 7 Six: Global threat research team dedicated to global threat intelligence 8 An Operational Payoff 8 Conclusion 8 Predictive protection from McAfee 9 About McAfee, Inc. 9

3 Introduction According to IDC, improved IT security ranked as the number two IT priority for One justification is the drastically altered threat landscape: threat volumes increased by 500% in Within this barrage, cybercriminals now layer techniques and use multiple entry points to increase their chances of success. This sophistication has made cybercrime a significant risk for enterprises and consumers. In the Unsecured Economies survey, interviewed companies estimated that they had lost an average of $4.6 million worth of intellectual property in In June 2009, Consumer Reports estimated cybercrime accounted for $8 billion in consumer losses. 4 Cybercrime has evolved and matured very quickly, typically much more quickly than enterprise security architectures. With the incredible profit opportunity they see, criminals have also outpaced the research and response capacities of some security vendors. Too many organizations still react to new threats after they have done damage, rather than using modern technology and global reach to predict the risk and preempt it. It is the difference between planning for the entire day by gauging the weather through the front window, or by looking at a weather forecast based on satellite data correlated with a global, predictive view. The former, reactive approach is easy, but risky. It is predicated on what you already see, short term, and not what could be. The weather may start out fair, but you may find you are soaked by mid-day. The predictive approach takes a bit more effort, but dramatically lowers risk. It is a true forecast: what the threat is now and what it will be shortly. In this paper, we define six principles that characterize a rigorous, predictive approach to mitigating cyberthreats. These principles define a new standard called global threat intelligence that will allow IT teams to benchmark the research and protection offered by security vendors. As cyberthreats escalate, global threat intelligence should become the minimum standard for effective research and response and the centerpiece of an optimized security architecture. It should be a core requirement of any security product. 3,000, M (projected) Over 1,500,000 malware detections identified in 2008, up from 272,000 in ,400, percent of malware is obfuscated with packers and compression technologies 375 percent growth in password stealers and 20 percent growth in vulnerabilities Number of Threats 1,800,000 1,200, M 600, , , Figure 1: Cybercrime techniques like one-time use and encryption require security vendors to implement predictive protection. 1. Top 10 IT Spending Priorities, IDC, McAfee Labs htm?loginmethod=auto. 3

4 The Cyberthreat Landscape Cybercrime is rampant. Every website and networked computer is vulnerable, nine out of ten messages should be blocked, and any type of content that a user may want to access including videos, blogs, datasheets, or annual reports presents an opportunity for malware distributors. Each new day brings new, more ingenious malware. Developers combine web, host, and network vulnerabilities with spam, rootkits, spyware, and worms, wrapped with current events to keep content interesting. Micro-variations and one-time usage (polymorphism) keep malware ahead of many security defenses and most researchers. Why do cybercriminals now make threats so complex? In order to circumvent defenses that react to known threats and simple patterns. By combining multiple threat vectors and types of malicious content, malware has a better ability to stay unknown for a longer period, hiding off mainstream research radar. Cross-fertilization of rich data and real-time analysis allow predictive solutions to go beyond observed behavior to determine likely intent. Consider Conficker. This worm propagated over the network in multiple ways at the same time: through a Microsoft vulnerability, through , by accessing unique web domains, by using a peer-to-peer protocol, and by entering the endpoint through USB devices. It used multiple software languages, open source code, 250 subroutines, and time delays to create a multi-dimensional attack. Its January 2009 success nine million infections in four days demonstrates that the more threat vectors and techniques a threat can incorporate, the more likely it is to succeed. These complex threats are why McAfee reminds customers that signature-based anti-virus remains critical, but is no longer sufficient. Systems that avoided infection by Conficker used both host intrusion prevention and behavioral anti-virus. The Research and Response Landscape To implement effective protection against these threats, it helps to understand security research and response options today. The industry is evolving, moving from reactive protection through proactive protection to predictive protection. We can look at signature-based protections as an example. A variety of security products anti-virus, anti-malware, intrusion prevention systems, and outbound web use signatures to identify threats and trigger appropriate responses, such as block, quarantine, or allow. A reactive signature-based product waits until the vendor receives a sample of malicious content, evaluates that sample, and then publishes a signature to its users. Until the users receive the updated signature, known as threat intelligence, these users remain vulnerable. A proactive solution goes beyond content analysis to consider reputation. It can infer the potential risk of a piece of content based on experience with an associated IP address, a domain, or a spam score. Proactive solutions can act against malicious code without the delay of waiting for a formal sample and signature. In many ways, they determine guilt by association. These users have protection against unknown threats, reducing vulnerability. Predictive anti-virus solutions build on these techniques, but step them up an order of magnitude, moving from traditional threat intelligence to global threat intelligence. Predictive protections use millions of deployed products and sensors around the world to capture more types of data, more quickly, in real-time, with a wider view. For instance, through global sensors they can note the prevalence of a new behavior and its propagation pattern and pace as it progresses through different countries, types of users, or delivery mechanisms. In addition to considering more data inputs, predictive protection performs more analysis. It analyzes content and reputation within threat vectors and also correlates data points across threat vectors. For example, instead of stopping with separate analysis in separate areas such as , web, and host intrusion prevention, predictive solutions can learn from events and behaviors in each of these areas, aggregating reference points for a more complete, global perspective. 4

5 This cross-fertilization of rich data and analysis allows predictive solutions to go beyond observed behavior to determine likely intent. It helps them catch or predict new activities earlier and more successfully, further shrinking the risk burden each user carries. Signature-based protections are one example of the move from reactive to predictive, but not the only one. We see similar evolutions in the fields of outbound web security, spam detection, and the ability to determine the intent of an IP connection. We expect the need for predictive security to accelerate. Multi-vector threats like Conficker demonstrate that predictive protection is the new minimum standard for effective protection. Inside Predictive Protection: Global Threat Intelligence Since every responsible security vendor will be attempting to move to predictive protection, how can you recognize when your vendor is good enough? We have outlined six principles that provide a benchmark. Rather than qualitative concepts, they focus on something quantifiable: the global threat intelligence that enables multi-vector, real-time, predictive protection. Global threat intelligence can be evaluated against these six attributes: Does its data collection footprint span the entire Internet, including millions of sensors already in place gathering real-time threat information? Does its data collection and content analysis cross all key threat vectors, including malware, outbound web, , network security, and website vulnerabilities? Does it integrate and deliver reputation-based analysis? Does it include real-time in-the-cloud threat collection and real-time distribution of threat data to its security products? Does it deliver its threat intelligence across multiple endpoint and network security products? Is its threat intelligence produced by a team dedicated to global threat intelligence? Global threat intelligence relies on all six of these attributes, since they enable one another by providing sufficient scale and scope. Their importance and inter-dependence become clear as we look at detailed examples. One: Millions of sensors throughout the internet A global footprint means a provider can see what is happening across the entire Internet: not just in pockets, a single geography, or a limited set of languages. Global threat intelligence at McAfee correlates millions of data points across threat vectors: 200,000 zombies identified per day Billions of spam messages processed 100 sources monitored for vulnerability information 50,000 samples of malware processed daily 10 million IPS alerts monitored or analyzed Ratings of over 30 million sites in 96 categories Content enters the Internet from transit points around the world. Early detection makes it critical to be as close to all of these entry points as possible. Successful coverage translates to a truly global perspective that can stand up to global systems like spam and website compromises. Spam command-and-control operations use an international infrastructure. By taking control of systems in rapidly developing countries, criminals have replaced centralized spam centers with distributed producers and zombies. Zombie networks, or botnets, are exploding. In the first quarter of 2009, McAfee detected more than 12 million new zombies, with high growth in areas such as South Korea, Brazil, and Romania McAfee Threats Report: First Quarter 2009, p. 5. 5

6 Web 2.0 vulnerabilities provide rich soil for exploits. In February of 2009, McAfee detected a Gumblar/ Obfuscated Script.f worm, which, over the course of several months, had compromised tens of thousands of websites, inserting web page links to polymorphic (one-time use) malware. The links were constantly changing, with new domains registered on a daily basis for the purposes of hosting malware. McAfee Global Threat Intelligence used advanced data mining algorithms to predict and block access to over 80 percent of the most common domain registrations associated with the Gumblar cybercrime network before criminals could put those domains to use. Two: Content analysis across all threat vectors The second attribute of global threat intelligence requires extensive content analysis across the primary threat vectors, to mirror the multi-dimensional nature of today s threats. For example, an inbound phishing with an embedded malicious file could provide valuable knowledge to outbound web and anti-malware detection. Going farther, think about patching delays on Patch Tuesdays. What if your host intrusion prevention could protect you against a new Microsoft vulnerability? It does if it is educated by an anti-virus system that detects malware exploiting the vulnerability in question. McAfee Customers Malware Research Vulnerability Research Web Security Research GLOBAL THREAT INTELLIGENCE Security Research Regulatory Compliance Research Global Threat Intelligence Network Security Research Figure 2: Through collaboration, McAfee researchers cover the full landscape of threats. Three: Integrated reputation-based intelligence In addition to rich content analysis, reputation-based analysis and response should be mandatory today. Reactive threat intelligence often relies on a blacklist or white list approach, where samples are known good or known bad. Reputation adds a probabilistic score that precisely, numerically, and in real time specifies the ever-changing risk posed by an Internet identity, for example, a website, an IP address, or a file. With this reputation score, products can enforce policy decisions instantly, based on subtleties more refined than known good and known bad. Since reputation is perpetually changing, it helps content assessments keep pace with threats. Figure 3 shows how integrated content and reputation analysis worked in the field on March 16, 2009, during the bomb storm mass spam. A McAfee user received an that included a URL. The came from an IP address with no reputation for spam. The gateway cleared the unknown, seemingly innocent . However, when the user clicked the URL and went to a video feed with malicious content, the web gateway blocked that content. Intermingled and web content is common today; that is why you need both and web protections. What is new is the next step, where global threat intelligence activates. After the web gateway blocked the content, the event s data URL, IP address, and payload was transmitted to 6

7 McAfee. Then, almost instantly, new threat intelligence went out to McAfee customer sites to update the relevant and web protections. The reputation of the IP address went up to higher risk. In this example, web content analysis protected the customer initially. The captured data then benefitted both content and reputation-based defenses at other customer sites, an example of learn here and protect there. 1 User receives with a short message and a URL, from an IP address with no reputation for SPAM Internet McAfee Gateway TrustedSource Artemis 2 User clicks on link and goes to a fake Reuters video feed web page with malicious content Internet 5 Real-time feeds update and web gateways; Artemis protects the endpoint in real-time GLOBAL THREAT 3 The content coming back is malware, and is blocked at the gateway 4 The URL, IP, and the payload all captured from an event is sent to McAfee Labs INTELLIGENCE TrustedSource McAfee Web Gateway Figure 3: Applying both content and reputation analysis allows McAfee to detect faster and protect better. Four: Real-time threat collection and distribution Figure 3 also demonstrates the importance of the fourth characteristic of global threat intelligence: constant in-the-cloud collection of threat data and non-stop distribution of threat intelligence. Very quickly, the unknown spam message and unknown URL became known malicious entities. McAfee customers received protection before most knew there was a problem. Time-based propagation data where, how many, how quickly is an important tool for analysis, since it provides context for determining intent and inferring the level of risk. Real-time distribution in-the-cloud provides important protection for mobile and remote users. These users access corporate resources from laptops, kiosks, and smartphones and operate outside the secure cocoon of enterprise networks. In-the-cloud updates ensure the same global threat intelligence that goes out to other endpoint and network products can reach and protect them while they are traveling or at home. Five: Complete suite of endpoint and network protections Just as reactive signature-based approaches are not enough protection anymore, a single layer of protection does not suffice, either. Because multi-dimensional threats target several vectors at the same time, global threat intelligence needs to be able to parry attacks at multiple vectors at the same time. Best practice dictates these should include both endpoint and network protections. Even if your vendor achieves global threat intelligence, if this insight only benefits a single product, you remain overly exposed. Multiple touch points must update simultaneously to counter multi-pronged threats. As evidence, we can return to Conficker. The Conficker worm propagated across networks and at endpoints through multiple protocols and devices. When the threat of a new Conficker infection loomed April 1, 2009, McAfee was ready to protect customers with global threat intelligence that could act on the endpoint and the network in ten different products: network-based web, , and intrusion prevention systems; endpoint-based anti-malware, intrusion prevention, McAfee SiteAdvisor, and antispam; and agent-based and agentless vulnerability management solutions. Because of these multiple 7

8 touch points, McAfee customers with multiple products could feel more confident that they had a low risk of exposure, despite the many infection paths. In addition, if a Conficker event had occurred on April 1, one of the products above would have sensed it and immediately alerted the defenses of the other products through global threat intelligence. Six: Global threat research team dedicated to global threat intelligence So far, we have emphasized the technologies inside global threat intelligence. The final requirement covers the people: their physical distribution and focus. Global distribution enables non-stop analysis with researchers in the same time zones as the distributed entry points used by threats. It enables real-time, 24x7 coverage, as well as the cultural understanding that is pivotal to success with social engineering, phishing, and other threats that take advantage of language and cultural diversity. The other consideration is research focus. Global threat intelligence is a full-time job. Global threat intelligence is often as important, or more important, than the product that it enables. It requires persistence and dedication to stay on top of the rapid advances in technologies and techniques. Ask your vendor how many of their researchers focus exclusively on delivering global threat intelligence separate from those developing products or supporting them. McAfee, for example, has over 350 researchers across 30 countries, collectively working every minute of every day and dedicated to the delivery of global threat intelligence. That resource investment is completely separate from our product development engineers, sales engineers, or field consultants. An Operational Payoff Together, these six principles enable predictive protection. They apply the most complete data sources and allow correlated analysis to help you minimize your risk. Each time a threat is blocked without manual intervention, you save money, too. Incident avoidance may offer the greatest cost savings. If global threat intelligence protects your infrastructure, you can safely allow access to advanced web applications and social networking sites without fear of expensive cleanup, downtime, and data theft. Real-time protection also reduces the need for emergency updates and unscheduled patches. Global threat intelligence will fend off malware between scheduled signature updates and block exploits that target specific vulnerabilities. This dynamic intervention lets you calmly test and roll out patches on your schedule. As your users become more mobile and distributed, this sort of hands-free inspection and protection will only increase in value. Home users and those in small offices seldom adhere to maintenance policies and often lack the extra protection of gateway defenses. Global threat intelligence will help you protect these users without their action or yours. Finally, global threat intelligence will enable your business to adopt new technologies and ideas with more confidence. For example, despite the risks in Web 2.0, business units and users want it. It is exciting, interactive, and constantly changing, and agile businesses are employing its applications and content to create market-changing products and services. If you have global threat intelligence about the reputation, malicious content, and intent of Web 2.0 sites, you can let your users access this material and pursue new opportunities without unacceptable risk. Conclusion Following the sun around the globe, cybercriminals deliver complex, constantly morphing threats that outpace the limited resources of reactive protections. Global threat intelligence will help you keep pace. Instead of waiting for confirmed samples, it infers risk by correlating multiple factors, real-time, from millions of sensors and multiple threat vectors. Through the aggregation of these many inputs, it can predict the intent and likely risk of a potential threat or code sample, as well as see trends that foreshadow the future. 8

9 As you consider your security needs and the incident response and management costs you face, consider the impact of global threat intelligence. Global threat intelligence lets each product learn from other installations at other sites around the world. Learn here, protect there offers the most accurate, timely protection and the lowest levels of risk. When you assess your defenses, apply our six principles to see if your vendors measure up to the new standard of global threat intelligence. Predictive protection from McAfee McAfee has invested heavily in each of the six requirements of global threat intelligence. Well over 100 million sensors send multiple inputs each day to our research infrastructure in 30 countries around the world. Our threat research infrastructure covers all the major threat vectors, analyzing both content and reputation based on real-time threat collection. In milliseconds, we can assess changes, assign risk levels, and distribute protection recommendations to products covering every threat at every tier. And we keep pushing our understanding and tools through a relentless, exclusive focus on security. Multi-dimensional threats count on the coverage gaps of point solutions. McAfee is closing these gaps by connecting all of our products and cloud-based services to McAfee Global Threat Intelligence. We are protecting customers with global threat intelligence today, and building it into every product and service we create. Every product serves as a data collector to inform our analysis. Every product becomes a beneficiary through our real-time response technologies. Since our portfolio interlocks endpoint, network, and cloud-based solutions, we can protect you where the threats are striking, before they strike. As you protect more threat vectors and infrastructure tiers with McAfee products, you move to an optimized security architecture. In addition to the security benefits and cost savings of global threat intelligence, you benefit from the efficiency and agility of a unified security and compliance management platform. Learn more about global threat intelligence and McAfee at About McAfee, Inc. McAfee, Inc., headquartered in Santa Clara, California, is the world s largest dedicated security technology company. McAfee is relentlessly committed to tackling the world s toughest security challenges. The company delivers proactive and proven solutions and services that help secure systems and networks around the world, allowing users to safely connect to the Internet, browse and shop the web more securely. Backed by an award-winning research team, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee, Inc Freedom Circle Santa Clara, CA McAfee and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the U.S. and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-mcafee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners McAfee, Inc. All rights reserved. 6581wp_global-threat-intelligence_0709_ETMG