Beyond the Next Generation: Putting Advanced Network Security to Work

IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING

Beyond the Next Generation:

Putting Advanced Network

Security to Work

An ENTERPRISE MANAGEMENT ASSOCIATES® _{(EMA™) White Paper}

Prepared for IBM Security Systems November 2012

Table of Contents

Beyond the Next Generation:

Putting Advanced Network Security to Work

Executive Summary ... 1

The Evolution of Network Security ... 1

…and its Resulting Fragmentation ... 1

Beyond the “Next” Generation ... 2

Putting Advanced Network Security to Work ... 3

More Granular Application Control... 3

Both Outbound and Inbound ... 4

Greater Integration of Security Intelligence ... 4

The IBM Security Systems Example ... 5

Meeting the Demands of More Challenging Environments ... 6

EMA Perspective ... 6

Page 1

©2012 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

1

Beyond the Next Generation:

Putting Advanced Network Security to Work

Executive Summary

A number of network security technologies have arisen that claim to be the “next generation” of network defense – but what does this concept actually mean? In the view of ENTERPRISE MANAGEMENT ASSOCIATES® _{(EMA™) analysts, the term has become marginalized by technologies that pigeonhole}

capability into silos of functionality such as firewalls or intrusion prevention systems. In fact, in EMA’s view, the common requirements of application awareness, deep inspection for deep understanding of network content and behavior, and a “data-driven” approach to security that demands the ability to both generate and consume sources of intelligence, are leading to the increased convergence of network security capabilities. Driven by demands to unify and extend protection across a broad spectrum of threats, EMA sees in this trend the rise of Converged Network Security (CNS) systems that integrate a wide range of capabilities and break down silos in network defense more than ever before.

In this report, EMA highlights specific examples of the ways in which these converged security systems put today’s more advanced capabilities to work in practical application. The IBM Security Network Protection XGS 5000 is profiled as an example of this trend, delivering not only intelligence driven, application aware defense against a variety of threats, but also the extensibility required to equip today’s organizations to confront whatever may come tomorrow.

The Evolution of Network Security

As the network has evolved, so has network security. Firewalls retain their role of first-line filtration based on policy, but have grown to embrace a wider range of capability. Content inspection, meanwhile, has expanded from intrusion detection and prevention to embrace a variety of needs. Among the most significant factors has been the shift of network content to Web-based applications and technologies, which have highlighted the need to lift network security beyond the lower layers of the network stack. This requires insight not only into application protocols, but a much broader application of content inspection as well.

…and its Resulting Fragmentation

The result is a collection of network security systems that run the gamut from firewalls to Intrusion Prevention Systems (IPSs) to a host of application-aware technologies. In terms of applications alone, at least six distinct technologies address various needs: Database defenses, IPS and Web Application Firewalls (WAFs) are all called upon in various ways to protect business applications on the server side. High availability solutions are often engaged to protect applications against Denial-of-Service (DoS) attacks. IPS also protects the distributed network from attack, while Web security gateways have more recently been joined by application-aware firewalls that enable policies to be defined for specific applications to protect end users – and the business – against today’s risks.

This has created a number of network security technology silos – which, in turn, have led to a number of overlaps as well as potential gaps in coverage. For example, not all network defenses may have the same level of application awareness. Firewalls have historically been managed on a policy basis. The threat landscape, however, tends to be far more dynamic and fluid. Websites and applications come and go daily. Application defenses that block suspicious websites or applications may be highly challenged to keep up with malicious sites that turn up every day. Legitimate sites and applications can pose a threat, too, if adversaries exploit their vulnerabilities to propagate attacks.

As the network has

evolved, so has network

security. This has created a

number of network security

technology silos – which, in

turn, have led to a number

of overlaps as well as

potential gaps in coverage.

Beyond the Next Generation:

Putting Advanced Network Security to Work

Even when policy is established, human behavior may not always conform. The abuse of trust by privileged individuals has become a matter of record – but even well intentioned or inadvertent lapses can have significant consequences. The ability to discern well-crafted attacks has become challenging enough for security professionals. Business people certainly should not be expected to know when a website or application that seems legitimate or innocuous poses a threat. This speaks to the value of network monitoring in defense, coupled with insight into user privileges and the ability to differentiate high-risk behavior from normal activity.

Beyond the “Next” Generation

To address these many recent and still-emerging needs of network security, many technology vendors have developed what they consider to be a “next generation” approach. Yet the term has already become virtually as siloed as the technologies that have co-opted it.

This is in spite of the fact that, in some cases, all the capabilities described above may be required to address more sophisticated or complex attacks. These may combine elements of reconnaissance, targeted attacks of specific technical vulnerabilities, and exploits of human behavior

in pursuit of a specific target. As applications become the battleground, application awareness and application-specific countermeasures in these areas have become vital. Overcoming the weaknesses many defenses exhibit in the face of these challenges has become a primary objective for enterprises worldwide.

What network defense requires today goes beyond simply breaking down technology silos:

• First and foremost, network security products and services must be grounded on a solid foundation. This means more than policy definition or updates of attack recognition. Detailed awareness of protocols at both the network and application levels – and how they can be manipulated and abused – must be inherent. Deep inspection must be enabled with the ability to distinguish not only malicious network and application content, but high-risk activity as well. Visibility into encrypted content may be a factor, considering the range of network and application content easily communicated via common VPN and encryption techniques. Countermeasures must embrace more than black-and-white blocking. Alerting and monitoring are a start – but more advanced techniques such as throttling or traffic shaping may be needed to address risks from resource over-utilization to outright denials of service. The ability to perform in demanding environments when faced with a daunting array of threats is essential. Reining in capability to assure performance will only open the door to increased risk.

• Beyond this foundation, network security technologies must become better integrated – with extensibility to meet evolving needs. Better integration of security technologies was one of the top three most important needs to improve security identified in a recent EMA survey of 200 organizations worldwide, along with the ability to better recognize malicious activity and targeted threats.1 _{The integration of capability required to meet all of these demands goes beyond bundling}

multiple modules in a single appliance – which may only perpetuate technology silos that keep each module distinct. The dynamic nature of emerging defense must be evident in the ability to 1 _{The Rise of Data-Driven Security, EMA Research Report, May 2012,}

http://www.enterprisemanagement.com/research/asset.php/2278/The-Rise-of-Data-Driven-Security

What network defense

requires today goes

beyond simply breaking

down technology silos.

Page 3

©2012 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

3

Beyond the Next Generation:

Putting Advanced Network Security to Work

recognize patterns of behavior and distinguish high-risk anomalies through a range of detective and preventive techniques that reinforce each other. “Dynamic” also means that defenses must be readily extensible, able to adapt to emerging needs tomorrow as well as today.

• Keeping up with these demands requires the ability both to consume and provide intelligence.

Defenses must deal quickly with serious new threats – but the need to make more direct use of intelligence in defense is greater still. Identity awareness, for example, is required to differentiate normal user activity from a potential threat. Failure in this area is one of the greatest roadblocks to effectiveness in dealing with the more sophisticated and stealthy adversary. The data generated by network defenses can play a leading role in identifying more sophisticated attacks, providing primary evidence of suspicious behavior and important information for correlation against other data sources. Looking farther ahead, the ability of network security technologies to consume and correlate intelligence will only become more important, as “data-driven” countermeasures characterized by their dynamic dependence on real-time insight arise to reshape the nature of network defense.

Putting Advanced Network Security to Work

The application of today’s more advanced network security techniques has far-reaching implications for improving the effectiveness of defense through a richer context of intelligence coupled with expanded capabilities for enforcement.

More Granular Application Control

In the past, traditional network defenses took an all-or-nothing approach to blocking high-risk traffic. With the shift of functionality toward applications and Web technologies, that approach is no longer possible.

The reasons go beyond the ineffectiveness of simply blocking traffic over standard server ports 80 (HTTP) or 443 (HTTPS), which would cripple a large proportion (if not the lion’s share) of today’s information technologies. Because so much of today’s network content is application-centric, network defense must understand specific application behaviors, how users interact with applications, the context of interaction, and how to define and enforce security policy accordingly. This requires network defense to rely on multiple sources of intelligence: awareness of specific applications, insight into user privileges and activity, the context of access linking the two, and how to distinguish policy violations or suspicious anomalies in each case.

For example, an external or third-party social networking application may be acceptable for access by marketing or public relations personnel speaking on behalf of the organization, but may pose a risk when accessed through the account of an individual with highly privileged access to sensitive assets such as intellectual property or controls over critical infrastructure. Such applications sometimes carry the risk of exposing users to malicious content that can be exploited to embarrass an organization, if not attacking users outright through compromised websites or application functionality. Network defenses that combine application recognition with threat intelligence and user insight can do a more effective job defending organizations against a wider spectrum of today’s threats.

Network defenses that

combine application

recognition with threat

intelligence and user insight

can do a more effective job

defending organizations

against a wider spectrum

of today’s threats.

Beyond the Next Generation:

Putting Advanced Network Security to Work

Both Outbound and Inbound

Threats from external sources are not the only exposures enterprises face. Businesses must also deal with risk exposures from what leaves the organization.

Even legitimate websites and applications often have vulnerabilities that can be exploited to deliver a malicious payload to users that can result in the theft or compromise of high-value information assets, or of the user access credentials needed to exploit them. But exposures to egress risks don’t stop there. Acceptable access to legitimate websites and applications can result in individuals sharing sensitive data in violation of security or regulatory policy. Such sharing may not be intentional; the inadvertent leakage of sensitive information may, in fact, pose an even more common risk.

Application awareness may also be valuable to defining more granular network security policy governing egress risks. For example, peer-to-peer communications and collaboration applications such as Skype or instant messaging may be authorized for business purposes – but the ability to transfer files using such applications, either into or out of the organization, can be controlled when application-aware network defense can recognize this capability and enforce policy.

Greater Integration of Security Intelligence

The previous examples suggest the value of intelligence in dealing with specific types of network security concerns. With the emergence of modern techniques for data integration and analysis, however, intelligence can play an even greater role in advanced network defense.

For example, the scenarios described above highlight individual incidents, such as an isolated case of malware infestation, or the transfer of a sensitive content file. More sophisticated attacks, however, may consist of a chain of activity which culminates in far more serious damage than a single case

of malware infection. This sequence of events is a hallmark of the more adept adversary. Recognition requires the ability to link individual points of activity data together into a larger whole that identifies this more serious class of threat.

This ability to correlate and recognize a set of complex data exemplifies the very nature of “intelligence” in this realm. Each individual incident – malware infestation, credential capture, reconnaissance and exploration of next steps in compromising high-value targets – may escape the notice of defenses that are unable to “connect the dots” and recognize a more serious attack. Moreover, the sequence of events that signal this far more dangerous threat may be spread out over a long period of time. Intelligence capabilities that have an “event horizon” shorter than the time period involved may miss key indicators of compromise and leave organizations exposed to significant damage. Intelligence that correlates data in multiple dimensions – including monitored activity, user privileges and observed behavior, and deviations from observed activity norms – may be critical to defending against this category of adversary. These are examples of intelligence that can be gathered and correlated from sources internal to an organization. Advanced network defense may also benefit from external sources as well. Many organizations leverage both commercial and “open source” intelligence feeds to refine insight and preparedness against attack. Some intelligence sources may be overlooked in today’s approaches to security – but in banks, for example, fraud activity may often be directly connected with security threats.

With the emergence of

modern techniques for data

integration and analysis,

however, intelligence can

play an even greater role in

advanced network defense.

Page 5

©2012 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

5

Beyond the Next Generation:

Putting Advanced Network Security to Work

Tactical countermeasures have often lacked the capability to integrate a wider range of intelligence directly into operational defense. As data-driven analytics continue to have an impact on information security strategy, however, organizations can expect that network defense may also become more data-driven. For example, insight into websites that pose a threat – those that are frankly malicious as well as legitimate sites that have been compromised – may be essential to protecting users against coming into direct contact with an attack. And intelligence that identifies the functionality of malware or likely network addresses where exfiltrated data may be directed can all be used directly in containing impact and mitigating further spread – especially when correlated to suspicious activity, compromised systems or exploited user accounts within the enterprise network.

The IBM Security Systems Example

With a strong position not only in the IPS market, but in the wider realm of information security, IBM has played a leading role in the evolution of network defense. With the release of the IBM Security Network Protection XGS 5000, IBM combines the capability of its recognized intrusion prevention systems with broad visibility into network activity and control for appropriate application and network use.

The XGS 5000 is built on IBM’s Advanced Threat Protection platform, an extensible model that provides the benefits of deep network content inspection and awareness of network and application protocols. The XGS 5000 protocol analysis engine recognizes historic and contemporary protocol anomalies and distinguishes potential exploits, even when a specific attack may not yet be widely known. Specialized analysis engines leverage the extensibility of IBM’s Protocol Analysis Module (PAM) to detect exploit payloads and inspect files and network content.

The application-specific capabilities of the IBM Security Network Protection XGS 5000 include engines that recognize application context, identifying and classifying all observed network traffic regardless of port, protocol or evasion technique. Identity context enables the XGS 5000 to correlate users with application activity, which helps to identify targeted threats as well as trends in application use or abuse. Application control functionality extends into the ability to control individual actions and activities within both Web and non-Web applications, including insight into billions of URLs, and giving organizations more “business-friendly” support for appropriate application use than security tools which are limited to monitoring or blocking of entire applications or application classes.

The XGS 5000 both provides insight to, and relies upon well-reputed intelligence resources from IBM products and services. IBM IPS solutions have long been backed by the capabilities of the company’s X-Force security research organization. Today, that intelligence is reinforced by IBM insight into more than 15 billion URLs – one of the largest such resources in the world, on a scale that few others can match. When integrated with IBM QRadar capabilities for security information and event management, the XGS 5000 plays a primary role in anomaly detection and event correlation, distilling numerous events into actionable alerts, and providing direct countermeasures for mitigating risks and threats when detected.

With the release of the

IBM Security Network

Protection XGS 5000, IBM

combines the capability

of its recognized intrusion

prevention systems with

broad visibility into network

activity and control for

appropriate application

and network use.

Beyond the Next Generation:

Putting Advanced Network Security to Work

Meeting the Demands of More Challenging Environments

Today, many organizations recognize the need for greater finesse in applying network security measures. Commercial businesses are not the only ones to recognize the inadequacy of blunt-edged, detect-and-block tactics focused only on what comes into the network. Universities, for example, not only have a need to support, but a mandate to encourage the freedom of exploration integral to academic life. In terms of IT network activity, this often means interaction with (often unfamiliar) external resources and the potential to expose the campus network to a variety of threats. Computer scientists, for instance, may access high-risk sites or content in ways that may be accepted for security training when well controlled. These same sites, however, may increase risk when accessed by the general student body. Networks such as these stand to benefit greatly from more finely grained controls that help to enforce which individuals and groups can access which applications under which circumstances, as well as more effective mitigation of data exfiltration risks.

The growing proliferation of a wide variety of mobile devices also poses significant challenges for campus networks in higher education. Even though many of today’s mobile devices employ security models that improve and build on past experience with personal systems, a common concern remains among many environments where mobility has a pronounced impact: application threats. The risks inherent in applications that take advantage of exploitable gaps in mobile security measures highlight the need for greater insight into the security and integrity of these applications and their provenance. Mobile application intelligence thus becomes yet another contributor to advanced network defense. In healthcare, organizations have become increasingly aware of their risk of exposure to unauthorized IT access. External concerns range from attempts to steal or exploit access to sensitive personal health and financial records, to the ability to manipulate systems critical to the safety of life. Internal risks include the misuse of IT resources among both authorized and unauthorized parties, particularly when healthcare systems may be widely exposed to patients, visitors, service providers such as payments clearing networks, or other third party factors.

With recent mandates such as HITECH Act requirements for moving data to electronic health records, and the increasing intersections of information technologies and clinical systems, concerns continue to mount. Many of these technologies are still new, and may pose risks that are as yet largely unknown. But this is precisely where advanced network security measures can help. By applying greater granularity to control over healthcare applications and technologies, advanced network security can reduce risk exposures. By enhancing the integration of network defense with expanded intelligence tuned to the needs of healthcare organizations, today’s emerging security technologies can help to close risk gaps that emerging approaches to “digital” healthcare cannot – including more finely grained control over access to personal healthcare information or networks where clinical technologies may be exposed.

EMA Perspective

As the demands of an increasingly complex threat landscape have been compounded by the shift of functionality toward applications, the common needs of a diverse range of network security requirements have led to overlaps in emerging technologies that are forging a convergence of functionality. The common requirements to see within network content, understand evidence of threat even if the threat has never been encountered before, and raise visibility and control to a higher plane have led to the rise of network security technologies that combine features of application and network control combined with behavioral awareness.

Page 7

©2012 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

7

Beyond the Next Generation:

Putting Advanced Network Security to Work

Nearly two years ago, EMA described this trend that characterizes the emerging generation of what we then called “Converged Network Security” or “CNS” systems.2 _{As this convergence expands, EMA}

expects that distinctions between firewalls, intrusion prevention systems, Web security gateways and application defenses will continue to diminish, as enterprises increasingly demand the integration of silos to unify and simply a wide range of defenses, and to apply analytics against the massive amounts of data generated.

Yet more than convergence will be required of tomorrow’s network security technologies. The ability to adapt to changes in both the IT and threat landscapes will be essential. Today, applications are a primary battlefield. Tomorrow, increased mobility and the growth of “smart” technologies may demand even more. Security intelligence and extensibility will not

become essential to network defense; they are already essential now.

IBM has already made its stake in this future, with technologies such as the IBM Security Network Protection XGS 5000. The XGS 5000 couples an extensible, application-aware foundation with intelligence ranging from IBM’s X-Force and one of the largest URL inventories in the industry, to the monitoring, event analysis and correlation capabilities of the IBM QRadar Security Intelligence Platform. As such, the XGS 5000 represents a significant aspect of IBM’s vision for threat protection driven by advances in security insight. It exemplifies the nature of Converged Network Security that intersects with another highly visible trend in the rise of “data-driven” techniques that expand the horizons of network defense, making today’s investments well positioned to confront tomorrow’s challenges.

About IBM Security Systems

IBM’s security portfolio provides the security intelligence to help organizations holistically protect their people, data, applications and infrastructure. IBM offers solutions for identity and access management, security information and event management, database security, application development, risk management, endpoint management, next-generation intrusion protection and more. IBM operates one of the world’s broadest security research and development organizations and delivery organizations. This comprises nine security operations centers, nine IBM Research centers, 11 software security development labs and an Institute for Advanced Security with chapters in the United States, Europe and Asia Pacific. IBM monitors 13 billion security events per day in more than 130 countries and holds more than 3,000 security patents.

For more information on IBM security, please visit: www.ibm.com/security.

2 _{EMA Blogs, “Toward CNS: Converged Network Security systems”,}

http://blogs.enterprisemanagement.com/scottcrawford/2011/01/31/toward-cns-converged-network-security-systems/

The ability to adapt to

changes in both the IT

and threat landscapes

will be essential. Today,

applications are a primary

battlefield. Tomorrow,

increased mobility and

the growth of “smart”

technologies may demand

even more. Security

intelligence and extensibility

will not become essential

to network defense; they

are already essential now.

About Enterprise Management Associates, Inc.

Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or

blogs.enterprisemanagement.com. You can also follow EMA on Twitter or Facebook.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries. ©2012 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®_{, and the} mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc.

Corporate Headquarters:

1995 North 57th Court, Suite 120 Boulder, CO 80301

Phone: +1 303.543.9500 Fax: +1 303.543.7687