Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Packet inspection no longer sufficient to overcome cyber attacks

SANS Institute : 20 February, 2013  (Technical Article)
Sans Institute member comments on the need to move on from packet inspection as networks become faster and harder to secure
Packet inspection no longer sufficient to overcome cyber attacks

As network speeds increase with new technologies and demand, real time packet inspection is simply not sufficient to deal with cyber-attacks. According to Dr Johannes Ullrich, Dean of Research and a faculty member of the SANS Technology Institute, “Faster networks are making it harder for intrusion detection techniques to keep up with the threats. Instead organisations need to turn to a wider set of data gathering techniques to be able to spot attackers.”

Ullrich points to techniques such as netflow analysis and the correlation of intrusion detection alerts with other logs, like for example the inspection of DNS logs, as useful skills that can help detect intrusion. “These are two areas where we have expanded in the SEC503: Intrusion Detection In-Depth course and both can help to offset the limitations of real-time deep packet inspections,” he adds.

Although the most common attack vector is still the opening of attachments and links to infected sites that trigger “zero day attacks”, Dr. Ullrich also points to proliferation of mobile devices as a smaller yet growing threat. “Apple IOS is better at stopping these threats as its devices are more closed but Android is a real challenge and we are seeing malware, especially those attacking two-factor authentication systems, used in mobile banking applications.”

The expert also points to the cellular networks providing an alternate method for attackers to avoid traditional network firewalls and IPS systems by attacking mobile clients and then “piggy backing” into the enterprise environment. “These attacks are still rare but the difficulty in looking into these cellular networks and mobile devices combined with an inability to set up device level firewalls or inspection tools makes the situation a longer term risk.”

This piggyback issue also relates to counter intelligence, another area where intrusion detection technology is becoming useful. This includes the ability to detect if communication has been tampered with or intercepted by a third party. “Detecting Interception of communication either by the state or cyber criminals is an area that we explore in the course and it also neatly intersects with the SEC 566: Implementing and Auditing the Twenty Critical Security Controls - In-Depth  course that is also running at SANS Abu Dhabi 2013.”

Dr Ullrich points out that once implemented, the 20 critical security controls can offer a marked improvement in network security but that without intrusion detection skills, it is difficult to make sure that controls are working correctly. “The SEC503 course teaches a lot of process including setting up tools, developing architecture and how to tune your sensors,” he explains, “but beyond that, we teach more advanced skills and also look at what threats are on the horizon and how to spot these new trends as they start to move from theoretical to prevalent.”

Dr Ullrich is chief research officer for the SANS Institute and is currently responsible for the GIAC Gold program.  Johannes started the DShield.org project, which he later integrated into the Internet Storm Center. His work with the Internet Storm Center has been widely recognized. In 2004, Network World named him one of the 50 most powerful people in the networking industry.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo