9 Security Trends To Keep An Eye On
Trends Emerge At RSA Conference 2014
The debate about data privacy and security prompted by the National Security Agency surveillance activities overshadowed a variety of emerging trends impacting the network security market. An emerging group of threat intelligence vendors is helping feed data to improve detection rates. Meanwhile, file behavioral analysis is being built into a variety of systems, including a new breed of breach detection appliances helping to boost security effectiveness. CRN sat down with John Pirc, CTO of research firm NSS Labs, to discuss the state of the network security market.
Next-Generation Firewalls' Limited Scalability
Next-generation firewalls have application control, deep packet inspection and inspection for SSL encrypted sessions, which help businesses gain more visibility into network traffic, according to Pirc. In recent years, vendors have added more capabilities, bolting on point technologies, file analysis capabilities and cloud-based threat data feeds in an effort to improve detection. Instead of improving detection rates, the technology sometimes bogs down low-powered appliances, he said.
SSL Reduces Next-Generation Firewall Performance
Turning on SSL inspection often greatly reduces the performance of some next-generation firewalls, Pirc said. Application control cannot be done when Facebook, Twitter and webmail is forcing SSL, requiring some companies to turn on the traffic inspection. Pirc said he would question vendors on where they are going in terms of SSL. The amount of malware that uses SSL to communicate out to remote servers has increased significantly, warranting better protection, he said.
FireEye And Next-Generation IPS
FireEye introduced the MVX-IPS, which is extremely disruptive to the market, according to Pirc. Having signatures as well as the capability to identify something that does not yet have a name is key. Traditionally, IPSes are signature-based, reputation-based and some of them have heuristics, but a lot of them fail at malware, he said.
Breach Identification Space Growing
Fidelis, Ahnlab, Damballa are other vendors that have products potentially disruptive to the network security market, according to Pirc, who added that FireEye is part of this field as well. Tier-two technologies are not line items in the budget because they are bleeding edge, but budgeting these types of security products into a business makes sense. The whole security industry understands high-volume Web-based threats, but malware that doesn't yet have a name is the real risk, Pirc said.
Time-Released Malware
Custom malware will fingerprint systems to see if malware has been dropped on the system during a previous attack. It will look for signs that a virtual machine is running and check for software debuggers and other tools that may signal that the system is a honeypot designed to catch threats for a security vendor. Malware can sit dormant on systems for six months before it attempts to communicate with a remote command and control server, Pirc said. Incident response teams must be able to respond to infected systems and remove malware, even if it hasn't executed, he said.
Using Overlapping Security Products Doesn't Improve Detection
Some large enterprises deploy a variety of technologies in the same product category with the hope that one detection engine can catch what another one misses. Deploying overlapping security products often fails to improve detection, according to Pirc. NSS Labs testing finds from an empirical data perspective that no gains can be made with that strategy, he said. Organizations need to be using multiple layers of technologies from different tiers to gain the most effective defenses.
Threat Intelligence Vendors Emerge
Norse, Lookingglass Cyber Solutions, ThreatMetrix and ThreatStream are just a handful of the emerging threat intelligence vendors trying to differentiate themselves in an increasingly crowded space for threat intelligence data, according to Pirc. Everybody talks about taking the fight to the adversary and disrupting their supply chain, but much of the talk is rhetoric and hyperbole, he said, and most businesses are not going to do this effectively. Threat intelligence is only actionable if it takes into account the specific industry vertical, the geography and the attack surface, he said.
Security Information Event Management
When you look at SIEM vendors, it falls under security best practices, said Pirc. It seemed like SIEM was going to be at the core of everything a few years back, he said, but IT teams quickly learned that they are only as valuable as the information being fed into them. SIEM vendors are moving toward providing more actionable intelligence and can take in a layer of threat intelligence data to offset the log management data and other sources that they correlate to glean insights.
DDoS Appliances Gaining Traction
Arbor Networks continues to build out its line of DDoS protection appliances and has a firm grip on the carrier space, Pirc said. Fortinet recently launched four new appliances, and other companies are entering the space, including Defense.Net and its cloud-based Anti-DDoS capabilities. IPS vendors will claim DDoS protection, but the protection is often limited, he said. There are key industry verticals that need to invest in appliances, while others can solve the problem by going upstream to their ISP.