Beyond “Seven Layers”: Local Network Protection from Global Threats

Last week my colleague, John Gordineer posted a blog entitled “Seven layers of protection from hacked websites”. This blog goes further in examining how you can be protected from threats that can emerge from the other side of the globe.

If you have kids, you often find out that a virus is running through the school when your child comes home with it. The internet is a lot like the school playground; it’s a notorious place for catching nasty viruses. Just like on the playground, the most common pathway for distributing malware is through the internet. As with playground viruses, you can’t predict what virus strain your network will get. One of the ways cyber-criminals avoid detection is to simply modify the existing code. Criminals can then leverage legitimate websites to test whether malware detection engines will recognize it. When the code is sufficiently modified, so that it’s no longer seen as malicious, voilà, you have new malware. Consequently, new threats are popping up around the world every hour, night and day.

Today, the sale of cyber-criminal tools is a thriving business with pricing models ranging from outright sales to time-based rentals. For example, an online banking malware called SpyEye could have been obtained (the creators were caught and prosecuted) for $150 which included three months of free hosting. Like other software it included updates, patches and technical support. Another cyber-criminal technique is the spread of botnets, which are a vast network of computers used to transmit malware to other computers on the internet. The botnet is manipulated by a command and control (C&C) server, which can send out thousands of emails linked to malicious software.

Global threats require global security solutions

With cyber-criminals continually upping their game, there are some specialized tools for reducing the chance of being compromised.

With GeoIP filtering, each packet of data contains an IP address identifying where it is coming from or going to. These IP addresses have been allocated to specific countries. For example, Tajikistan has less than 50,000 IP addresses and North Korea only 2,304. China on the other hand has 333 million and the US leads the list of addresses with over 1.6 billion IP addresses. (“Allocation of IP Addresses by Country.” CIPB –. 1 Apr. 2015. Web. 1 Apr. 2015.) Blocking IP addresses from countries you don’t do business with limits the ability of botnets to infect your network. In case your network is already compromised, it is good practice to block traffic leaving your network.

Here are some important GeoIP defense strategies:

  1. Filter all incoming and outgoing communication to a particular country or region.
  2. Make sure your firewall provider is an organization that can identify threats globally.
  3. Hire an IT service provider who can react quickly to protect your network.

Global presence. It is an old adage that you can see further when you stand on the shoulders of giants. As far as malware protection is concerned these giants can be defined by the number of sensors a security organization deploys. With the intricately connected world that the internet brings us, malware that originates in Thailand takes only a couple of clicks to find its way onto your desktop. The best defense is to employ an IT security company that has both in-house security research and is a recognized leader in the industry. It is their in-house resources that allow the best security companies to identify malware early and protect your assets before it spreads. These are organizations that can see further because they have millions of sensors around the globe.

Rapid reaction. Seeing further is only half of the equation; you also need to react faster. Cyber-criminals rely on slow response to steal from you. The security industry is addressing this issue. When Microsoft identifies a threat and communicates it to the security community, it also tracks how quickly the security organizations create protection from the threat. Microsoft’s Active Protections Program (MAPP) shows the partners who respond quickly. Is your firewall or antivirus provider on the fast responder list? How rapidly your security partner responds can give you an indication of their effectiveness in protecting you from emerging threats. The security of your business depends on sophisticated global protections that will help reduce your chance of being compromised. Geographic protection comes in two flavors, filtering out traffic by geography (GeoIP filtering) and having an IT service provider that operates globally and reacts immediately to emerging threats.

If you want to learn more you might start by reading SonicWall Security’s new eBook, “Types of Cyber-Attacks and How to Prevent Them”. Follow me on twitter @KentShuart.

How Do We Live in Tomorrow’s World of Mobile Security?

BYOD is solvable. COPE is solvable. The rest of the acronym soup that describes problems associated with keeping company data safe while on mobile devices are solvable. But today, it takes several different solutions strung together to get that data leaving the perimeter to be safe. In the future, those solutions will come together and the problem of protecting data as it moves around the world will be easier and cheaper.

First some background – you know what BYOD is. But what is COPE? COPE refers to Company Owned, Personally Enabled. It is really a description of the way many/most companies operate. The company buys you a computer and perhaps a smartphone. You might have a choice between vendor A and vendor B. And while that device comes configured, you still generally have administrative rights because if you don’t, you create way too many headaches and complaints for IT. “I have to have x installed! I have to have y installed. The system blocked me from installing z and I can’t do my job without z.” While there are some super security centric companies out there, the vast majority of employees have administrative rights to their computers. And, while the trend for phones was to go down the Mobile Device Management path where the company decided what can and can’t be on your phone, the current tide is going the other way. Why? Frankly none of us want some company IT person to tell me what I can and can’t have on my phone. “Phones are personal ““ even if I didn’t buy it! My computer is personal ““ even if I didn’t by it. My LIFE is on my computer and my LIFE is on my phone. Don’t tell me what I can and can’t have. I’ll go rogue or find a company that lets me be me.” That’s the general trend.

But company data is VALUABLE and companies have to protect that company data. So how can a company REALLY protect its data while letting you be you?

For the company to be a winner by protecting its data and for the user to be productive and happy the following three solutions need to work in concert. Access to all data needs to be controlled by a powerful Secure Remote Access gateway that is focused on understanding who the user is, what kind of risk their system poses, and exactly what data the company is willing to let out given the calculated risk. So, powerful SSL VPN gateways are a fundamental need. If you think the market for them has been eliminated, think again. They are fundamental. But these systems need to work in concert with solutions that provide mobile containers. Containers allow the SSL VPN solution (after doing its job of verifying the user, the risk of the device and what data should be accessed) to place that data into a virtual piece of real estate on that mobile device that is OWNED and Controlled by the owner of the data, not by the person in possession of the device. The key here is that companies should not try to take control of the device entirely, they only need to take control of a small piece of real estate that the user grants. All company data needs to land there. If the user and owner of the data choose to part ways, the company does not need to “destroy” the entire device. It only needs to revoke access to the data sitting in the virtual container. But you ask, how does a company “control” access to that container and the data within? How does it revoke a user’s ability to access it without doing something to the device? The answer is in encryption key management. If the data leaving the premises is encrypted with a strong key encryption solution that can allow or deny access to the data inside the container, then everyone is a winner! The company doesn’t need to wipe an entire device to protect access to data. It just needs to “not” provide access to that key that would open that data.

So, let’s summarize what these three solutions working together does for an owner of data that is going to let that data land on highly mobile devices.

  1. The Remote Access Gateway is going to understand who the user is, what device it going to be used, and what data should be given based on the risk of the device, users, and other variables. Only data that should leave will leave and will land
  2. Inside a mobile container. This container will not let data be copied and pasted outside of the container. Data can’t be emailed to different solutions. The data is inside and protected but it is not free data and can’t move elsewhere. And lastly,
  3. The Key Encryption Solution allows for the data to be open (only inside the container) and read/used only while that user and that device is in good standing. If the user or device becomes un-trusted, access to the key is revoked and the data can not be utilized. The owner of the data doesn’t even need to wipe the data since it is useless without access to the keys.

This is the present. Three solutions working together. In the future, these three solutions will merge into a single solution. Companies like SonicWall have all three components required to solve BYOD, COPE or any other variation of problems affecting mobile data. In future blogs, we’ll share the progress being made in bringing this future vision to life!