Esphion

Much of today's network security architecture relies on signature-based solutions, such as IPSs (Intrusion Prevention Systems), IDSs (Intrusion Detection Systems) and firewalls. If you have read my previous blog-entries, you know my opinion about the signature-based approach. To sum it up: These signatures come from certain network security operations centers, run by the various vendors. The people working there do a great job, but it still takes them a couple of hours to crank out a new signature for a new threat. To top it off, your signature-based device will typically be updated only at certain intervals, which means even more time elapses. So, if a true zero-day anomaly comes around, something that nobody has seen before, or has just started a few hours ago, you will most likely find yourself unprotected.

In addition, this approach completely ignores the threat that arises from anomalies, which are specific to your network. For example, if you are flooded by a DDoS attack, and some attacker chooses a certain kind of packet to flood you with, what do you think the chances are that there is a signature for exactly that kind of packet in someones signature database? Pretty close to zero.

The question then is: How can a network react to new anomalies and threats, once it gets exposed to them? Is it possible for the network to defend itself, without having to wait for some signatures to be sent down by someone else's network security operations center?

Well, yes it is possible, at least for some of the most pressing security concerns, such as worms and DDoS attacks. I call this network self-vaccination. Let's look at an example from nature, in order to explain this. I'm not a biologist or a doctor, so what I'm about to write here may not always use the 100% correct terminology, but I think you will understand what I mean.

Our skin is an important barrier, which protects our body from infection. Without the skin, various microbes could easily enter our body and cause havoc. Even though the skin is a good barrier, a bacteria, parasite or virus may still find a way into our body.

Fortunately, our skin is not the only line of defense that we have: Our immune system can deal with intruders and issues even if they have managed to get into our body. Interestingly enough, it is for the most part capable of handling even brand new (zero day, if you will) diseases. We might get sick, but for the most part, we eventually recover. How is that possible?

Well, the answer lies in the way the immune system works. There is a really great introduction here, but to summarize it: We have an innate immune system and an adaptive immune system. The innate system is made up of genetically pre-programmed defenses, such as the skin (a physical barrier), but also the phagocytic cells, which can devour foreign elements, such as microbes and a couple of other things. The innate immune system therefore is something we have more or less from birth. A pre-programmed set of defenses.

More interesting in our context here is the adaptive immune system, though. What does it do? To quote from the above mentioned Wikipedia article:

[It] ensures that most mammals that survive an initial infection by a pathogen are generally immune to further illness caused by that same pathogen.

Key elements of the adaptive immune system are the leukocytes (white blood cells),  antibodies, T-cells and so on. Using a lot of fascinating bio-chemistry, the adaptive immune system can in effect learn the specific fingerprint of a new microbe or virus. That is, after the foreign body has entered the bloodstream, and an immune response has started (in effect, an infection has already occurred), it can then learn how to defend itself better the next time. So, the adaptive immune system does not prevent an infection the first time around, but it can do a good job the second time it sees the same problem.

This is, of course, exactly the principle behind vaccination: Expose the organism to the disease in a way that the organism can survive, and the acquired immune response will be able to defend the organism from then on. The organism is immunized.

So, how does all of this relate to networks?

Well, modern threats to network security can come from any direction. As we have all heard before, the network perimeter is dissolving, which means that any defense at that perimeter is only effective to a certain extent. Compare the firewall or IPS on the Internet access links to the defense offered by the skin. These devices also rely on prior knowledge about how to react to specific conditions or signatures, and thus could be compared (to some degree) with the innate immune system.

However, mobile devices or browser-based exploits allow malware to appear right in the middle of the network at any point and at any time. What do we have in place to defend against that? Since a mobile device may have been infected already before it is even connected to our network, it is difficult to guarantee that there is never going to be an outbreak of some kind in a network. Nevertheless, most organizations completely ignore this threat to their network infrastructure. And as we have seen, even the perimeter defense is powerless when confronted with zero-day anomalies, such as site-specific DDoS attacks.

What most organizations have today is only the equivalent of the skin, a portion of the innate immune system. But these days, this is not enough anymore. What we need is an adaptive immune system for networks. It needs to fulfill three basic requirements:

• Automatically able to detect an anomaly that appears within the network.
• Autonomously able to get a handle on the anomaly (a fingerprint) so that it is possible to characterize and identify it when we see it.
• Use these fingerprints to defend against the anomaly, using the already existing infrastructure of the network.

We can see a lot of similarity to the adaptive immune system from biology in that description. The most important point obviously is the detection of the anomaly. For this, the observation sensors of this adaptive network immune system are not only on the perimeter (where they can detect DDoS attacks, for example), but also right in the middle of the network, where they can observe the internal traffic. The ability to detect an attack within the network (organism) is important, which is why the biological adaptive immune system does not sit on the skin, but is present everywhere in our body.

The second point then describes the adaptability of the system: It sees a new anomaly, and can automatically learn the fingerprint for it, even though it may never have seen it before. Sophisticated algorithms can do this for network traffic, and we have implemented them in our solutions.

The last point is interesting: Use the existing network infrastructure for defense. Why is that? Well, the existing network infrastructure (routers, switches, firewalls, IPSs) often has the ability to filter traffic, or at least to isolate an infected host. Thus, without having to invest in expensive inline devices, which just add latency and points of failure, this adaptive immune system simply provides fingerprints / signatures which can be applied to the existing infrastructure elements. This effectively stops the anomaly right at the source. Even if a worm-infected laptop is connected into the company network, it is instantly detected and isolated or the offending traffic is simply filtered out. Since this is important, our system can produce actionable filter instructions for a variety of different network devices.

The network therefore has observed an anomaly, and has learned automatically to recognize it and to shut it out, without relying on pre-existing signatures. As we know, time is of the essence (see my previous blog entry) and so, in our solution all of this happens within just a few seconds, even for deliberately slow-scanning worms.

Just like our body, the network in effect used an adaptive immune system for defense. A network with such a security system in place, is capable of self-vaccination.  And that is what it takes these days.

Juergen Brendel
CTO
www.esphion.com