The Evolution Of The Security Ecosystem

Security Evolution

I remember my early years using a computer; the pre-Internet years and a world where dial-up modems offered access to services like AOL and CompuServe. Things were much different back then. All of the content you sought was served up via a self-contained application, and your provider was the supplier of the content.

Even then, with every innovation came the curiosity for people to circumvent security controls to gain elevated access to systems for malicious intent and more commonly notoriety. I recall an AOL underground community was brewing with a subculture of users who sought to defeat the controls used to secure application, content and messaging systems, but as every new control emerged, five more exploits or methods to defeat them followed.

Names like FateX, Havoc and the ever-popular Master.AOL were the tools of choice for wreaking havoc within the AOL community. Some of these tools were helper programs, which scrolled mass messages in chat rooms or where actual internal administrative tools that were leaked and used to gain higher levels of access to the underlying systems.

Fast forward to the 2000s; we’ve shifted from content-based providers to the fully-fledged Internet. With this change, we saw a new level of tools emerge to target end user systems on LANS and insecure ISPs such as Sub7 and Netbus, with the intent of both being eavesdropping and generally annoying their targets.

As security on end user systems began to improve, targets moved back to the providers. Attackers next focused on the vast new world of online shopping, which turned into a free for all for obtaining large amounts of credit card data from poorly coded shopping basket applications.

The stolen credit card data was most commonly used to ‘Card’ things; essentially using the credit card information to order products online that were delivered to a drop location. As expected, security improved, and the attacks slowed. Once this happened, the security of security threats shifted again towards malware and scareware, which was even more annoying.

Today, we see a wide variety of threats still targeting computer networks with each more advanced than the one before. Threats come from many different vectors and in many different forms requiring many different methods of detection and protection.

Today, most businesses employ an information security team whose purpose is to manage firewalls, DLP systems, APT systems, antivirus, spam blockers, disk encryption, network access control, incident management systems as well as other point solutions intended for specific business needs. As the need for information security increases, so does the need for the deployment and maintenance of tools and systems. Ideally, all of this should be communicated as a security platform.

The idea of security as a platform takes the various information security policies and systems and creates a console seen on a single pane of glass to enact security control across the various security systems. While many vendors strive to “do it all,” what typically happens in this scenario is that companies are stuck with a mediocre solution that excels at a few things, but overall is not effective as a point solution.

While the industry has accepted the fact that there is not one solution to solve all security concerns, the challenge has become building out a homogenous security ecosystem in which point solutions can share information between other systems as well as leveraging features of access control systems to restrict or remediation systems to rehabilitate infected workstations.

Consider this scenario: Your antivirus (AV) software finds an infected system. The first move of most malicious software is an attempt to disable system defences, thus disabling any sort of quarantine provided by the antivirus system. The normal response would be to take the machine off the network before it affects others and then rebuild it.

However, the ideal solution is for a network access control system to learn of the infected machine either from the machine itself or from the AV management suite; move the machine to a quarantine network and leverage remediation systems such as a disk imaging system to re-image or push a specific malware removal tool to the endpoint. This solves the threat of the workstation affecting other systems as well as automating the process of getting the user back to work.

The ultimate goal of this converged security platform is to bring together the systems that already exist on the network and utilise them for their intended purpose. The scenario of the AV quarantine can be established by an automated security control system being notified of the infection and enforcing an ‘Assign to Quarantine VLAN’ action at the users switch.

The security system can then trigger an automatic remediation at the desktop management system to rehabilitate the system and then move it back to the appropriate VLAN. While all this is taking place, the information can be updated in a helpdesk system or SIEM tool so the security operations teams can be aware of the status. The same idea holds true of any risk within an environment.

By strategising security in the form of a platform and utilising an automated security control system, a truly secure and compliant network infrastructure can be maintained, and it can also leverage best of breed detection systems, enforcement mechanisms, management solutions and network infrastructure components. This approach allows businesses to utilise their existing investments without compromising features, provides the ability to integrate with point solutions for evolving threats and establishes a single pane of glass for insight into the health, hygiene and security posture of the entire network.

Robert McNutt

A systems engineer at ForeScout Technologies, Robert McNutt is a designer and architect of Network Access Control (NAC) solutions for global financial organisations, with ForeScout's award-winning CounterACT NAC appliance at the core. Prior to ForeScout, Robert previously worked as a senior network administrator at the New York Law School.