Heading off hackers

31.01.2005
Von Jaikumar Vijayan

As the chief information security officer at Massachusetts Mutual Life Insurance Co., Bruce Bonsall is acutely aware of the need to keep one step ahead of the bad guys.

That"s why he has subscribed to a cyberthreat assessment service from iDefense Inc. in Reston Va.

IDefense alerts customers such as the Springfield, Mass.-based insurer about possible attacks on their networks, using information gathered from a global network of security researchers, original vulnerability research, product vendors, national incident-response teams, underground hacker rooms and chat sessions.

The service warns about a range of risks -- from impending worms and viruses to new software holes and even geopolitical events -- that could affect the security of overseas operations, Bonsall says.

These advance warnings are invaluable at a time when Internet and e-mail threats are becoming more sophisticated and are capable of spreading much faster than traditional defenses alone can handle, says Bonsall.

"Gathering intelligence and learning about things early on gives you more of a lead time to act on it," he explains. "The goal is to mitigate the risk of software vulnerabilities and the effects of attacks on your network."

Increasingly, it"s a best practice to subscribe to such services, according to a November 2004 research note from Gartner Inc. "Information risk cannot be managed without tracking external events on a daily or even hourly basis, and analyzing their significance," the report says.

Gartner says that over the next two years, roughly 80 percent of all companies will spend about 10 percent of their security budgets on unnecessary fixes and that security intelligence services can help IT managers prioritize response and eliminate unnecessary remedial action.

A different approach

Radianz, a New York-based provider of telecommunications services to financial companies, uses a service from Symantec Corp. to monitor impending threats.

Symantec"s DeepSight threat management system monitors global Internet attack activity using a combination of empirical data and human intelligence, says Dee Liebenstein, group product manager for the service.

Symantec"s early-warning system collects firewall and intrusion-detection system data from about 20,000 sensors on customer networks in 150 countries. The data is analyzed for patterns of unusual behavior -- such as sudden spikes in specific types of network traffic -- that might suggest malicious activity.

A team of Symantec threat specialists also collects and monitors information from a variety of sources, including honeypots -- systems that are used to lure hacker attacks -- and hacker sites, looking for signs of new threats. Last May, the service warned users of the Sasser worm 18 days before it began infecting systems worldwide, based on information it collected in that manner, Liebenstein says.

That kind of lead time allows Radianz to make more-informed decisions when mounting a response, says Lloyd Hession, the company"s chief security officer. Because Symantec"s service is customized for each client, Radianz can focus on threats that are relevant only to its own technologies, he says.

For instance, about nine months ago, Symantec warned of a critical protocol vulnerability in Radianz"s voice-over-IP networks that received little media attention but was vital to fix nonetheless, he says.

"Trying to get a measure of how significant a threat really is and whether it is really being exploited is hard," especially at a time when hundreds of new vulnerabilities are being discovered every month, Hession says. Knowing precisely what to focus on helps eliminate the otherwise costly disruptions that can result from rushing to address every single threat, he adds.

Meanwhile, regulations that require companies to demonstrate due diligence in securing IT infrastructures, such as the Sarbanes-Oxley Act, are driving interest in commercial intelligence services, says iDefense CEO John Watters. "Security is becoming more and more of a business issue," he says.

Even so, it"s wise to exercise caution when using security intelligence information, says Howard Schmidt, chief information security officer at eBay Inc. and former security adviser to the White House. "I think it should be just one of the pieces in the CISO"s tool kit," but not the most important one, he says.

There"s a "fair amount of false positives" in the information culled from alerting services, Schmidt points out. "These services are only as good as the input of the data they get. We need to get better at identifying and correlating data" to minimize this, he says.

"An early-warning system is like a weather forecast," says Gerhard Eschelbeck, chief security officer at Qualys Inc., a provider of network vulnerability management services in Mountain View, Calif. "It tells you if you should take an umbrella. But it"s far from being perfect."

Side bar

Price and value

The cost of commercial intelligence services can run from thousands to hundreds of thousands of dollars per year. IDefense won"t quote a price, but the number is "well into the six figures," CEO John Watters says. Symantec"s offering ranges from US$5,000 to $15,000, depending on the number of subscribers, while IBM Corp. charges a flat $10,000 annually for its new Security Intelligence Service.

The ROI from such services is hard to determine, says Bruce Bonsall, CISO at Massachusetts Mutual Life Insurance. "You can"t put a value on how much you are saving by protecting yourself from the next attack," he says. But having good threat intelligence helps to reduce the cost of unnecessary fixes, says Bonsall, adding that since subscribing to the iDefense service, he has been able to reduce his intelligence staff by one person.

-- Jaikumar Vijayan