IT security has been high on the CIOs agenda for the past twenty years, and with the ubiquity of the internet, and increasing speed at which new attacks are being developed, securing the organisation's network and critical information is becoming a more crucial and more difficult task, writes Brian T Contos, chief security officer at ArcSight.

The traditional focus of the IT department has been on securing the company's critical information for business continuity and swift disaster recovery.

The problem is the wider issue here - if it is not known why the network went down in the first place, how does the CIO stop it from happening again?

The answer lies in the company's security event data, and with the increasing sophistication of attacks, identifying and creating a log of security threats as they happen is just as important for the CIO to ensure the fastest remediation possible.

Past, present and future

In the 1980s and 1990s most individuals and organisations were concerned with viruses, worms and DoS attacks. From the late 1990s on, there has also been an explosion in more varied and sophisticated attacks such as blended threats and targeted attacks.

This development is set to continue, and more destructive attacks are on their way in 2006. Blackworm, for example could have been one of the bigger leading stories this year because it was truly destructive malware overwriting content. But there is an increasing, unknown threat in the form of Botnets that hasn’t received as much attention as the latest worm or virus.

Set up to forward transmissions (including spam or viruses) to other computers on the internet, attacks delivered through botnets can spread rapidly and allow little time for human intervention in terms of patching, virus updates and other remediation efforts.

Exploiting vulnerability

Defence-in-depth and security awareness programs are now critical in disaster recovery. For business continuity, anomaly detection will be on the forefront of technology that will be used to detect and combat such attacks.

As attacks continue to develop, the vulnerability window, the amount of time between when a vulnerability is discovered and an exploit is written to take advantage of it, will continue to get smaller, rendering it impossible for companies to act against an attack and provide business continuity or disaster recovery manually.

Today, with skilled programmers this window can shrink from months to weeks, however with expert exploit writers for hire, organised crime and terrorist organisations, it is a matter of days.

It is conceivable that with the shrinking vulnerability window we'll see a trend of smarter, more targeted exploits with vulnerability windows of less than a day, propagating across the internet in a blended manner such as Nimda and Code Red – that is, using multiple avenues for infection and botnets for distribution.

As we saw with Zotob, it is likely that there will be multiple, new variants of most worms shortly following their outbreak, sent out through other botnets and the propagation quickly becomes a global pandemic. This is bad news for business continuity, and botnets add an additional twist to this exploit story.

With the onset of vast botnet fleets in the thousands controlled from a single point and available for rent to the highest bidder, we are sure to see more involvement of criminal organisations and to a lesser extent, nation state threats and terrorist groups.

This is not simply scare mongering, towards the end of 2005, the Financial Services Authority warned of an increase in organised crime gangs attempting to infiltrate UK banks, and with identity theft becoming one of the fastest growing crimes in the UK, targeted attacks are on the increase.

This may be a specific machine, organisation, business vertical, country, etc. However, because of their focused nature, they spread faster and can be more devastating. With organised crime, exploit writers for hire and botnets for rent, attackers are now going after applications and network gear, not just operating systems and network perimeters.

As a result, the threat environment is becoming more dangerous, with attacks that may be able to target a victim from both within and outside an organisation, causing the most havoc possible.

Information overload

All of these developments impact on the increasingly challenging task that CIOs and security managers in today's companies are facing - to protect their networks against a sophisticated 'hacker' community, while struggling to achieve cost reduction and compliance targets.

The problem is that the typical FTSE 250 company gets around 4 million hits on its firewall every day. Multiply this by the number of additional perimeter defences - AV / Authentication & Verification Layers / Anti-Spam Appliances etc - and there is an incredible amount of security devices to manage.

Then add all the internal protections, password authentication, swipe card readers, application/database logs, and CIOs begin to lose control.

The problem for the companies isn't actually the devices, but the millions of pieces of information that each one generates. And in today's heightened threat environment with millions of attacks capable of taking down the network, this security related data cannot be ignored.

Trying to define the one serious internal or external attack from the millions of false positives, to prioritise alarms and discover internal and external breaches is next to impossible. The more security threats that appear, the more devices get thrown on the network, and of course, the worse the problem gets.

Controlling security

With the ever-decreasing vulnerability windows coupled with this deluge of security event data, the only truly effective way to detect threats and to reduce the potential risk to the organisation, is to automate the process.

These new automated security information management (SIM) systems work in tandem with existing best practice processes to create a single, comprehensive view of the organisation's IT risk, employing advanced correlation and pattern discovery techniques able to match, apparently unconnected events to identify a threat.

SIM software collects security-relevant information from newly deployed devices and integrates with legacy systems. This data is then fed into a centralised manager that analyses security event data in an efficient manner for real-time processing, audit and investigation, and regulatory compliance support.

In addition, SIM software can perform real-time correlation of security events. The complete range of fields from each device can be normalised, then correlated to detect and report on multi-source, multi-target threats while filtering out the vast majority of alerts that are simply false alarms.

It can also stop attacks in their tracks by working with device management functions to shut down threatening traffic. This not only increases the protection level of the organisation, but also the efficiency and effectiveness of the security resources.

The real benefit in terms of disaster recovery is that if the network does go down, there is a secure log of all security threats to help the CIO understand why it went down, and stop it happening again in the future.

As external and internal attacks on the organisation continue to increase through 2006, we are sure to see more frequent and more costly downtime unless proper management of the security system is undertaken.