As the information security industry matures, we’re beginning to come to terms with the reality that there is no such thing as perfect prevention. Conventional wisdom in information assurance tells us to assemble best-of-breed network and endpoint components into arrays of controls that will provide some reasonable measure of defense in depth. While the practice is correct in its ingredients, the recipe is lacking.
Until now, unmediated coordination between protection at the physical or virtual network layer, and the endpoints that make up those networks, hasn’t been possible. IT and security professionals pay a price for this every day: missed cues that might have prevented or detected an attack; delays in responding to and mitigating a detected threat; an abundance of alerts with unknown relevance or outright irrelevance; and difficult, time-consuming investigations that often lead nowhere.
The missing recipe is synchronized security – enabling meaningful and contextual exchange of information between the familiar ingredients of endpoint and network protections.
The benefits of synchronized security can be broken down into two camps, each reinforcing the other. First, it improves protection by automating and coordinating the response to detected threats across assets. Second, it increases operational efficiency by shedding light on the five “Ws” of a threat (what happened, why did it happen, where, when, and by whom?), streamlining investigation.
Without synchronized security, information system controls don’t talk to each other, so they can’t work together to react to threats.
For example, if a firewall sees an outbound connection or a DNS lookup to a suspected command and control IP or domain, the best it can do is block the connection and alert the admin. The alert might contain an IP address or perhaps even the logged-in user, but it will not contain information about the offending process. Meanwhile, the endpoint remains infected, posing a risk to the business until manual intervention.
Likewise, firewalls are typically blind to what’s happening on endpoint devices. Runtime behavior analytics on an endpoint might identify and block a malicious process, prompting a need for investigation and cleanup. Until that cleanup is complete, however, the firewall is ignorant of the threat. The compromised system can freely communicate out to the Internet or to other sensitive systems.
Our approach to synchronized security involves a secure communication channel between the Sophos endpoint and network controls that we call the Sophos Security Heartbeat.
Now, when the firewall detects malicious traffic, it notifies the endpoint. The endpoint agent responds dynamically, identifying and aggressively scrutinizing the suspect process. In many cases, it can automatically terminate the process and remove the residual components of the infection.
Endpoints, for their part, report their current “security health” status to the firewall on an ongoing basis. When the security health is degraded – as in the case of a runtime detection awaiting investigation – the firewall applies an appropriate policy to isolate or restrict that endpoint.
This inter-product communication also boosts operational efficiency, particularly when it comes to investigating incidents.
One of the biggest challenges IT departments face is connecting the dots between isolated events and alerts. When a firewall detects malicious traffic from an endpoint, it’s typically reported in connection with an IP address. As the investigator, you must then connect the IP address to a particular user and computer. This might, for example, include reviewing DHCP or dynamic DNS records and querying an inventory or IP address management database.
From there, the real challenge begins: conducting a time-consuming analysis of the endpoint in question, attempting to correlate the network traffic seen by the firewall with a particular process. If you’re lucky, you might find the process still active with a simple netstat or lsof command. Much of the time, though, the process has terminated or severed its network connection, making it that much more difficult to identify the threat.
Synchronized security automates the process of connecting the dots. When the firewall shares what it has detected in real time with the endpoint, the endpoint agent immediately traces the traffic to the suspect process. That information, along with the computer name and username of the logged-in user, is communicated to IT and to the firewall. What might have required hours or days of analysis is fully automated and reduced to seconds, allowing incident responders to focus on resolving the threat instead of finding it.
While I’m proud of what we’ve done at Sophos to start the ball rolling, I’m even more excited about where we’re headed. From analyzing risky user behavior across the endpoint and the network to spotting statistical anomalies in endpoint traffic, the firewall – and soon our other networks devices – will know as much about what’s happening on the endpoints as it does about itself. And both will be able to act accordingly.
Synchronized security will also involve other control points that until now have been all too discrete. Soon we’ll be able to use encryption and endpoint protection together to isolate sensitive data based on the security health of the device, or even a specific process. And mobile devices, cloud-based gateways and sandboxes will all join the endpoint and the firewall in an interconnected, synchronized security system that is far more than the sum of its parts.
As Jon Oltsik, principal analyst at Enterprise Security Group says, “Integration is the new best of breed.”
I would modify that statement slightly: practical integration is the new best of breed. The vast majority of businesses struggle today to keep up with security. Money, well-trained staff, and time are all in short supply. Everyone might desire the promised benefits of a SIEM, but not everyone can afford to own or effectively operate one. Done right, synchronized security can be the solution, creating better protection with less cost and complexity than a hodgepodge of point products.
At its heart, I’ve described a simple concept: make products talk to each other and respond automatically. It makes you wonder why it hasn’t been done until now with endpoint and network security. As it turns out, though, it’s quite hard to bring these ingredients together in a way that makes sense. That’s why synchronized security is revolutionary.
After so long, we’ve finally delivered a better recipe.
Joe Levy is Chief Technology Officer (CTO) of Sophos.