Can the cloud provide the best strategy for security?
Security is evolving from a do-it-yourself operation — loading software on a device or attaching a box to a network — to managed, hosted services leveraging the anytime/anywhere scalability of the cloud for large-scale analytics that were not practical before.
No one yet is seriously suggesting getting rid of firewalls and antivirus detection, but it has been painfully obvious for some time that by themselves, they are not adequate protection. Intelligence-based security is being touted as the way to counter more complex attacks against high-value targets, and the emergence of cloud computing now offers a way to gather enough intelligence and analyze big data fast enough to effectively spot malicious activity.
“We do not look for malware, we do not look for exploits,” said Dmitri Alperovitch, CTO of CrowdStrike, which has announced its first cloud-based security offering. “We look at what is being done, rather than how.”
The CrowdStrike Falcon Platform is one of the latest in a growing number of services offering security from the cloud, rather than security for the cloud. Another recent announcement in this field is the integration of global attack data into Risk I/O's cloud-based platform, which uses big data and predictive analytics to help prioritize vulnerability data. Other companies with cloud-based security services include the Appthority, Check Point, Fortinet, Okta, Symantec, Veracode and Zscaler.
Moving security out of the box and even out of the enterprise can help to address a new generation of adversaries using layered attacks to methodically find weaknesses, penetrate systems, escalate privileges and then quietly observe and export data. Intelligence is needed not just to detect these attacks, but to respond to them.
In the past, knowing who you were up against wasn’t necessary to security. You spotted the attack, and you blocked it. But, “if you are being targeted by a determined adversary, they are not going to stop because you block them,” Alperovitch said. “They are going to keep it up until they get in. They can spend years at it.”
CrowdStrike’s approach to active defense has a decidedly military and intelligence flavor. It takes a strategic view with an emphasis on knowing your enemy, not just the weapon. Most of the more than 4,000 organizations tracked for its Adversary Intelligence database are nation-sponsored. Its goal is not to stop every malicious attempt.
“You can’t block every attack,” Alperovitch said. “And sometimes blocking is not the best strategy.” If you spot and identify someone engaged in spying or espionage, the best strategy might be to string him along and watch him, “to better understand his tradecraft.”
The goal is to raise the bar for attackers, making their craft more difficult and expensive. This can mitigate one of the great advantages attackers have; it is dramatically cheaper to launch an attack than it is to defend against it, resulting in a very high return on investment for successful attacks. Recognizing sophisticated techniques “doesn’t eliminate all activity, but it dramatically raises the cost of intrusion,” Alperovitch said.
It is too early to say what impact the cloud and big data analytics will have on security, and it’s a pretty safe bet that it won’t solve every problem. But it is an attractive option for concentrating resources where they are most needed.
Posted by William Jackson on Jun 20, 2013 at 6:02 AM