Today’s threat landscape has required security vendors to change their approach to protecting customer data. TrendLabs℠, Trend Micro’s threat research arm, states there are now 3.5 new threats released every second by cybercriminals. Traditional approaches to security just cannot keep up with this. Those traditional processes looked like this:
- Customers would submit a suspicious file to their security vendor for analysis
- The security vendor would analyze and confirm it as malicious
- A signature would be created to identify that file as suspicious
- The signature file would be published to the vendor’s update servers
- The customer would update the signature (usually once per day) on each and every computer within their network
This process was slow, inefficient and difficult to manage by the customer’s IT administrators. Also, due to the volume of threats today, it simply cannot keep up. The solution was for the security vendors to develop a way to automatically source, analyze and publish threat protection for their customers, without any involvement by the customer. Enter cloud computing and the subsequent development of cloud-based protection networks.
Not only can cloud-based protection networks use cloud computing methods to manage this security process more effectively, but also they are able to scale with the certain increase in threats in the future. Let’s look at each of the steps in the process.
1. Sourcing of new threats
The ability to automatically source new threat data is key to a good protection network. Threat intelligence can come from numerous sources, but all have one thing in common. The process is automated and requires no human interaction. Sources can be obtained by the security vendors own collection methods like honeypots, crawlers and such, but more often the source comes from their customers via an automated feedback mechanism. Automated queries of URLs, IPs, Domains and files within their customer solutions allows the vendor to obtain information about these potential threat vectors quickly and easily. This allows the vendor to quickly and automatically source new potential threats without the need of customers providing samples. But sourcing is only the beginning of the process.
2. Analyzing and identifying new threats
Unlike the old one-dimensional threats, today’s threats are multi- dimensional. Nearly all threats are part of an overall attack in which cybercriminals utilize multiple methods to infect, propagate and steal data. Therefore, security vendors now must monitor and analyze threats within email, web and files because they are all interrelated. One method is to correlate the threats using behavior analysis within a cloud infrastructure which receives the threats via the sources mentioned above, and analyzes them for patterns and behaviors between the different components of an attack in order to identify malicious activity. Examples would be to analyze the behavior of domains tied to IP addresses. Stable (i.e. Good) domains tend to not move IP addresses, whereas criminals need to constantly move their domains to other IP addresses or create new domains in order to avoid the security vendor radars. Another would be to analyze email with embedded URLs to identify new sources of spam and malicious websites. This cloud-based behavior monitoring (i.e. cloud-based heuristics) is constantly searching for malicious behavior between all the different threat vectors. An added benefit of doing heuristics in the cloud is that the vendor is able to identify and minimize any false positives which may occur. The next step in this overall process after a new threat has been identified is to deliver protection to the customer.
3. Cloud-based Reputation Databases
As we experienced with those traditional security services, if the protection updates need to be delivered down to the endpoint devices, the time to protect against new threats was increasingly going to be slowed down, especially given the number of new threats propagating today. Cloud-based protection networks now incorporate reputation databases which are queried by the vendor solutions, instead of relying on signatures on the device. This allows the vendor to not only manage the updates, but also ensures all customers are protected at the same time. If an employee is traveling and accesses a web page, or downloads a file from the Internet, they no longer lack the latest signatures of new threats. The employee’s device does a simple query to the cloud-based reputation databases to check whether that email, webpage or file they access is good or bad. This also frees up more resources for the device or network. For example, by blocking the URL where a malicious file is located, network bandwidth need not be utilized to download the file for scanning. Nor is the device’s CPU/memory resource used to scan the file since it has been blocked at its source.
In summary, customers who utilize a security vendor who has a robust cloud-based protection network will see significant advantages over those customers who still use more traditional methods. Most of what has been discussed here is never seen by the customer, which is a good thing because they only want to ensure their data is safe. It can only be safe if the security vendor has the ability to automatically source, analyze and provide protection as quickly and efficiently as possible. Cloud-based protection networks live up to this reputation.
[Ed. note: Trend Micro would like to know what you think about this. We enthusiastically invite your comments and we will read every one of them. For very detailed information about Trend Micro and Security Built for Enterprise Virtualization and Cloud Environments, please visit our website: http://bit.ly/dEmlhv ]