Guard Against Weaknesses, Not Just Attacks

Security vendors have, in the past year or so, gone big time on converting users and companies over to the concept of proactive security by switching from intrusion detection systems (IDS) to intrusion prevention systems (IPS). But what does "proactive" actually mean?

According to Robert Graham, chief scientist at Internet Security Systems (ISS), "protecting against exploits is reactive, while protecting against vulnerabilities is proactive."

This is because protecting against exploits is dependent on the exploit having taken place, and then writing a signature file for it.

But protecting against vulnerabilities means actively looking for vulnerabilities in a system, and then coming up with a vulnerability signature-or a "virtual patch"-to temporarily prevent hackers or malware from exploiting the vulnerability.

Graham said that ISS does this by having a research and development arm called the X-Force, which has a staff strength of around 200.

X-Force will look at current announced vulnerabilities as well as search for them in systems, and then come up with the signature files that will block known and unknown exploits from leveraging on the vulnerabilities.

And he is extremely proud that ISS discovered new threats, such as CodeRed, Nimbda, Slammer, Blaster and Sasser, before the hackers did.

This is done, said Graham, by protocol analysis, which is different from pattern matching in that it considers everything as a protocol, whereas pattern matching will only look for specific strings in the malware code.

"A protocol is a data structure or format of the network traffic, and because we know what the structure is supposed to be like, any abnormalities in the structure can be detected and prevented," explained Graham. "So if we know that a buffer is only supposed to contain 96 bytes, and along comes something that contains 1012 bytes, we will red-flag and block it."

With security attacks increasingly being driven by monetary gains, Graham warned that companies have to start looking at IPS to proactively defend themselves, although IDS and IPS both have a part to play in a companys security defence.

As an example of monetary-driven hacking, he cited a company that was hit by a denial of service (DoS) attack, which would only stop if it paid a sum of money to the hacker.

Companies also need to understand what they are buying the tool for, said Graham, because "if they dont, then they are going to accept that whatever a vendor is selling them will solve all their security headaches, which it will not."