Deploying deception for protection: Juniper Networks
By Gabey Goh December 24, 2013
- Securing web traffic the most significant network security concern for majority of organisations
- Deception-based approach to enterprise security addresses threats much earlier in attack cycle
THE challenges facing enterprise security networks today can be likened to the revolution of the photography industry.
Traditional film photography detached the development process of a picture from the photo-taking process, before Polaroid entered the market and brought the two processes together, enabling the almost instant sharing of visual experiences.
Almost 20 years later, services such as Instagram have further accelerated and proliferated the spread of instant photographic experiences online to social networks.
That was the analogy offered by Greg Bunt (pic), director of security of Juniper Networks in illustrating today’s security landscape.
“The challenge is the continued treatment of security from a ‘Polaroid age’ when we’re very much in an ‘Instagram age.’
“There is this fortress mentality that still persists but it’s not a fortress anymore that businesses have to protect, and as the ‘city’ grows around the fortress wall, it’s hard to continue the same old approach against an increased attack surface,” he said.
Bunt pointed to the high-profile case that took place earlier this year, where classified blueprints of the new ASIO headquarters in Canberra were stolen in a cyber hit orchestrated from a Chinese server, as one such example.
“The official response was that the real blueprints were not taken and that ASIO remains committed to moving in, but it demonstrates how compromise can happen indirectly, in this case via third parties who provided the solutions.
“That is one thing corporations need to realise. You can’t outsource the risk -- you can outsource the task, but you still own the risk,” he added.
According to an Efficacy of Emerging Network Security Technologies report commissioned by Juniper and conducted by the Ponemon Institute this year, securing web traffic is by far the most significant network security concern for the majority of organisations, with 64% of respondents in Australia and India, 61% in Japan and 59% in China citing it as their top concern.
Almost half (48%) of respondents agree that emerging network security technologies are not effective in minimising attacks that aim to bring down web applications or curtail gratuitous Internet traffic.
However, despite the rise of external attacks that call for more comprehensive and holistic security technology investments, the study showed that 55% of the companies surveyed still continue to focus on the inside-out threat.
To aid organisations in tackling a now porous and fluid perimeter, Juniper Networks is advocating a deception-based cyber-security system that strengthens defence against malicious online attacks.
The core notion behind this approach is the acknowledgement that while organisations still need to defend against straightforward blunt-force attacks such as distributed denial-of-service (DDoS), it is defending against targeted attacks which require a longer gestation period, and this merits allowing ‘some’ access in order to truly pinpoint and halt would-be attackers.
“There is no such thing as perfect security but a majority of companies are looking at policy-based security based on firewalls, which hasn’t changed in 15 years.
“Our deception-based proposition urges security departments to change their mind-set, to one that thinks ‘everyone in the world can get to this website but I'm going to watch you and if you do something dodgy …’ ” said Bunt.
He noted that a proactive security approach using intrusion deception techniques to profile and stop hackers early in their efforts allows for certainty on the part of IT departments. It lowers the risk and eliminates the fear of blocking out legitimate users by enabling better visibility into a user’s actions when connected to the network.
The technology allows hackers into an artificial part of the company or government body, an intelligently created decoy, and leads them to dead ends or to false information, while keeping the entity and critical information it holds safe.
“This approach is more aggressive in information protection. The idea is to give out the information and see if a user on the network does something with it, if the data is manipulated, you know you’re dealing with a bad actor,” Bunt said.
Breaking down the anatomy of an attack (see graphic on left), it is during the 'reconnaissance' phase where such tactics are deployed.
“Information about a network is worth money. One party typically tries to break in to collect intelligence which is then sold to others to collate and find an attack vector, while others create code that does it, which is then automated,” said Bunt.
Traditional signature-based defences typically come into play during the second phase of an attack, its implantation phase, and does not fare well in protecting a network against unknown attackers.
“The idea is to move detection to much earlier in the cycle when bad actors start looking for information on your network. By seeding interesting code to tempt bad actors into action, you can identify the unknown attacker because the ‘good guys’ won’t manipulate that type of data,” said Bunt.
He said that it is about changing the economies of the attack, as there are hackers who gain financially by specialising in retrieving information about secured networks, using techniques such as fake credentials, forced slow connections or log-outs.
“It’s about making it hard for them to make money and by making things that much harder, you automatically change the economies that drive such transactions. It impacts the person who does such reconnaissance work and once they start selling bad information, they’ll quickly go out of business,” he added.
However, identifying unknown attackers is only one element in larger efforts to curb the ease of intrusion and risk of malicious attacks – tracking them is another.
Bunt pointed to Junos Spotlight Secure, a global attacker intelligence service the company launched this year, beefed up by industry partnerships such as the one signed with RSA for the sharing of threat intelligence, as such an effort being made by the security vendor.
Powered by technology garnered via Juniper’s early 2012 US$80-million acquisition of Mykonos Software Inc, which specialises in intrusion-deception techniques, it is intended to offer customers more detailed security intelligence about attackers and significantly reduces false positives.
The solution creates a persistent fingerprint of attacker devices based on over 200 unique attributes, delivering precision blocking of attackers without blocking valid users.
Once an attacker is identified and fingerprinted on a subscriber's network using Junos WebApp Secure, the database can immediately share the attacker profiles with other subscribers, providing advanced real-time security across multiple networks.
Bunt said that the offering was still in its early stages, given its official debut at the RSA conference only in February, but the company plans to transition from early adaptor phase to mainstream adoption by 2014.
When asked what industry reaction has been like since Juniper announced this offering, Bunt claimed that the most interesting has been how customers have opted to use the technology.
“We don’t know what customers will use it for and seeing how it has been leveraged has been interesting, such as one insurance company utilising it to track potential misbehaviour within its large mobile sales force,” he said.
When asked about privacy concerns, Bunt admitted that there are issues that must be addressed, with the company in on-going discussions with relevant authorities.
“We are ensuring that what we have abides by international law and we even proactively took Junos Spotlight to the European Union to be reviewed to make sure of it, and we passed its scrutiny,” he claimed.
Previous installment: Policy framework a must for security today: IDC