Protection Against Today's Network Attacks Begs for Unified Approach

The increasingly complex security environment is fueling an innovative approach to network security called Unified Threat Management (UTM) that consolidates and integrates all of the major threat protection services into a single device. UTM can save time and money and redirect IT resources back to the business of improving the practice of law.

Even as companies are spending billions on sophisticated new security hardware and software, current research indicates that corporate networks are being successfully attacked. Data compromises are common. This article outlines the root causes for computer network vulnerabilities and how law firms can ensure better security and more efficient use of their security-related investments.

The Evolving Threat Landscape

Despite spending an estimated $27 billion a year on security hardware, software and services (see, Worldwide IT Security Software, Hardware, and Services 2004-2008 Forecast: The Big Picture, IDC #32557, December 2004), the FBI reported that 74% of businesses suffered a virus outbreak in 2005; and 56% experienced unauthorized use of their network. The 2005 CSI/FBI survey also showed that 97% of these networks are already protected by a firewall, 96% already use host-based anti-virus software, and 72% already have an intrusion detection system. (See, 2005 CSI/FBI Computer Crime and Security Survey, Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson, Computer Security Institute, www.usdoj.gov/criminal/cybercrime/FBI2005.pdf.)

Why are we running faster, but not making any forward progress? To be sure, the spectacular and continuing growth of the Internet and our increasing reliance on it as a core business tool is an important backdrop to the problem. However, that alone does not explain the systemic failure of the security industry to substantively mitigate the risks facing their clients.

Table 1, below, summarizes what we are up against. Gone are the days when only high-profile companies had to worry about defending their computer systems. Today, everyone is a target and all networks are under continuous attack.

[IMGCAP(1)]

Part of the problem comes from the software running on the systems they are trying to protect. Ironically, the easier we have made systems for users, the more complicated the hardware and software infrastructures necessary to enable them have become. This increasing complexity has made it easier for hackers to exploit vulnerabilities in those systems.

[IMGCAP(2)]

Chart 1, above, illustrates the dramatic increase in software vulnerabilities reported to CERT, The Computer Emergency Response Team (see, http://www.cert.org/). In 1995, slightly less than 200 vulnerabilities were reported in all software connected to the Internet. Ten years later, there were nearly 6000 vulnerabilities reported.

Just as commercial anti-virus software has been made simultaneously more complex but easier to use, malicious innovation has made hacker tools, viruses, worms and other malware increasingly sophisticated, yet simple to construct and deploy.

As Chart 2, below, illustrates, 20 years ago, a typical threat consisted of a hacker writing a password-cracking program that had to be manually installed on a PC unbeknownst to its user. The effort involved was high and required sophisticated knowledge and time for the result to take place. In other words, the effort-to-results ratio was low.

[IMGCAP(3)]

Today, powerful virus development kits are available on the Web with visual construction tools. Like a Lego_' set, in a matter of minutes a relatively unskilled user can assemble a powerful program that can be hidden in an e-mail and easily penetrate and disable an unprotected computer. A marginally smarter digital crook can read a hacker blog to learn how to add remote controls, mask the digital DNA signature to get past anti-spyware programs, and pack it into a compressed data stream to bypass intrusion detection devices. Leverage a botnet to spam your creation to 1,000,000 unsuspecting users and the effort-to-results ratio is now very high.

This combination of ubiquitous vulnerabilities and sophisticated hacking tools, coupled with multiple sources of potential profit ' including advertising, piracy, theft, fraud, blackmail, etc ' have created an environment that leaves very little room for network administrator error.

Take patch management, for instance. A scant 6 years ago, network administrators had the better part of a year to protect their systems from
vulnerabilities that would ultimately be exploited by the Melissa and Sadmind worms. By 2005, the window of vulnerability had dropped to 5 days. (See Table 2, below.)

[IMGCAP(4)]

As a result, reliance for security on the integrity of individual machines on a network has become a fool's errand. Imagine trying to secure your home by putting padlocks on all your cabinets and bolting down your entertainment center and appliances. This might help ('defense in depth' is generally a good thing ' think of a wall safe, for example), but surely the more important consideration is preventing an intruder from entering your home in the first place. Protecting the 'perimeter' of your network is therefore critical.

Why Isn't Having a Firewall And
Host-based Security Enough Anymore?

As the primary perimeter device, the firewall should be a good place to start. Unfortunately, what the CSI/FBI survey results tell us is that having firewall, anti-virus and other security hardware and software installed appears not be sufficient in stopping security threats. But how can this be?

There are three reasons that most organizations still experience external computer security breaches, be it a virus outbreak, worm infestation, hacker intrusion, or something else:

1. Lack of Appropriate Protection. Failing to use an intrusion prevention system that would have stopped the spread of a worm. While 97% of firms have a firewall, only 35% have an intrusion prevention system. A firewall is a relatively blunt instrument and there are numerous worms and hacking attacks that can pass through a firewall freely.

2. Improperly Configured Protection. Having a firewall rules-set that inadvertently allows an attack to occur that should have been blocked. Given the complexity of modern networks, this is extremely common. Accor-ding to a 2004 study of the firewalls at 37 different corporations, every one of them had configuration problems. Indeed, 'only one of the firewalls exhibited just a single configuration error. All the others could have been easily penetrated by both unsophisticated attackers and mindless automatic worms.' (See, A Quantitative Study of Firewall Configuration Errors, Avishai Wool, Computer, IEEE Computer Society, June 2004.) While misconfigurations are sometimes the result of lack of training, the more common explanation is that the primary job of the network administrator is to get systems to work. Whether something works or not is highly visible and easy to detect. Whether that system is secure however, can be far more subtle, and does not generally impact the user experience ' at least not until there is a catastrophic failure. As a result, securely configured systems are the exception, not the rule. (See Table 3, below.)

[IMGCAP(5)]

In 2001, the Code Red I v2 worm doubled its infection rate every 37 minutes. Within 14 hours, it had infected 359,000 machines. A daily anti-virus update might have missed this, but hourly updates were probably sufficient.

In 2004, the SQL Slammer worm doubled the number of computers it was infecting every 8 seconds. Within 3 minutes, it was scanning 55 million computers a second for vulnerabilities. Within 10 minutes, it had compromised 10,000 SQL Servers ' an estimated 90% of all vulnerable machines in the world. Hourly updates wouldn't have helped here. Protection now needs to be proactive and in real-time.

Today's Network Attacks
Beg for a Unified Approach

The threat sophistication discussed earlier is currently being combated with a proliferating number of security devices, as listed in Table 4, below. These individual devices address unique aspects of network security such as a firewall vs. intrusion detection and prevention, or anti-virus vs. anti-spyware. They are usually acqui-red incrementally and have little coordination, correlation, or cooperation between them. While each security device might excel at addressing a specific threat, it doesn't work in concert with other devices to tackle blended threats ' sophisticated attacks that leverage the strengths of more than one category of malware. For example, an incoming piece of spam could direct users to a Web site that launches a hacking attack to infect the user's machine with a hidden Trojan that commandeers the computer to infect other computers on the same corporate network, and then connect to the Internet to enlist in an army of similarly compromised computers.

[IMGCAP(6)]

Single-function solutions often fail to identify and repel blended threats because: 1) they do not work in concert with other security components; 2) they may require intensive manual configuration, tuning, and log/report analyses; and 3) they may require frequent updates ' a time-consuming and often confusing activity fraught with human error. Even the largest and most vigilant firms often need hours or days to keep these disparate systems patched, up to date, appropriately configured, monitored and maintained. In fact, research suggests that law firm IT managers can spend as much as 70% of their total network administration time on managing security functions.

These IT sink holes impact all industries, but have become particularly acute in the legal profession that consists primarily of small and mid-sized firms with limited technical resources. Further complicating this, clients increasingly demand their lawyers produce work digitally and be available online. Yet, despite maintaining some of their client's most confidential and sensitive information on their networks, law firms trail behind all other industries regarding investment in network security, according to the CSI/FBI survey.

Lower Cost, More Efficient Solution

In order to overcome the weaknesses inherent in the point solution strategy, a new approach was developed. Termed 'Unified Threat Management' by IDC in 2004, the first UTM appliance was actually launched in 2000.

The concept behind UTM is that by consolidating multiple security functions on a single device, the coordination and integration of these services can increase their effectiveness. Plus, having a single device can reduce costs and administrative burden. Most UTM implementations include a single management interface, as well as a consolidated procedure for obtaining and installing updates.

By including all the major security functions in one place, UTM appliances can ' assuming one subscribes to all their functions ' ensure that there is no gap in a firm's security perimeter from a missing security component. At the same time, the consolidation onto a single box can make providing these services dramatically cheaper than stand-alone solutions.

While implementations vary, the UTM structure promises an additional increase in security by allowing the various security functions to coordinate and interact to further close gaps that might otherwise allow attacks to get through. Tight integration of intrusion prevention with the firewall, leveraging the Web proxy's URL database to increase the effectiveness of spam filters, or using the anti-virus engine to scan Web traffic for spyware downloads, are a few examples of UTM protection.

Tackling the second major contributor to security failure, UTMs generally provide a consolidated management interface. Training requirements are significantly abridged and the reduced complexity of managing multiple components on a single infrastructure helps reduce configuration errors. Nevertheless, the underlying security functions still need to be managed appropriately, so professional security expertise is recommended. Some security vendors actively manage UTM appliances on behalf of their clients.

Finally, by providing a single consolidated update method, UTMs can facilitate the rapid and continual process of keeping the security software patched and threat signatures up-to-date. While the speed with which vendors produce new security updates will still be critical in defending against the latest threats of the day, the UTM framework ensures that vigilant administrators have a streamlined process to work with. The framework provides the possibility of coordinated real-time updates of all security subsystems, although to date this has only been implemented by a few vendors.

UTMs Ease Human Factor

Security is not exclusively a technology problem ' it's a people and process problem. Certainly you need to install technology, but that's only the starting point. What makes a network secure is the continuous proper configuration, administration and maintenance of that technology. Having the world's best door locks won't help if you leave them unlocked, hide a spare key under your welcome mat or leave your back windows open.

Keeping a network secure thus requires vigilance and effort. In a heterogeneous environment with multiple single-function security solutions, this effort can overwhelm IT staff, resulting in either compromised security, reduced resources for non-security activities, or both.

By dramatically lowering the resource commitment required in terms of both time and expense, UTM appliances promise an attractive
alternative to this Hobson's choice of economy or security. Law firms may continue to lag behind other industries in their spending on security solutions, but with the help of UTM appliances, they need not compromise in the actual security of their networks.

The increasingly complex security environment is fueling an innovative approach to network security called Unified Threat Management (UTM) that consolidates and integrates all of the major threat protection services into a single device. UTM can save time and money and redirect IT resources back to the business of improving the practice of law.

Even as companies are spending billions on sophisticated new security hardware and software, current research indicates that corporate networks are being successfully attacked. Data compromises are common. This article outlines the root causes for computer network vulnerabilities and how law firms can ensure better security and more efficient use of their security-related investments.

The Evolving Threat Landscape

Despite spending an estimated $27 billion a year on security hardware, software and services (see, Worldwide IT Security Software, Hardware, and Services 2004-2008 Forecast: The Big Picture, IDC #32557, December 2004), the FBI reported that 74% of businesses suffered a virus outbreak in 2005; and 56% experienced unauthorized use of their network. The 2005 CSI/FBI survey also showed that 97% of these networks are already protected by a firewall, 96% already use host-based anti-virus software, and 72% already have an intrusion detection system. (See, 2005 CSI/FBI Computer Crime and Security Survey, Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson, Computer Security Institute, www.usdoj.gov/criminal/cybercrime/FBI2005.pdf.)

Why are we running faster, but not making any forward progress? To be sure, the spectacular and continuing growth of the Internet and our increasing reliance on it as a core business tool is an important backdrop to the problem. However, that alone does not explain the systemic failure of the security industry to substantively mitigate the risks facing their clients.

Table 1, below, summarizes what we are up against. Gone are the days when only high-profile companies had to worry about defending their computer systems. Today, everyone is a target and all networks are under continuous attack.

[IMGCAP(1)]

Part of the problem comes from the software running on the systems they are trying to protect. Ironically, the easier we have made systems for users, the more complicated the hardware and software infrastructures necessary to enable them have become. This increasing complexity has made it easier for hackers to exploit vulnerabilities in those systems.

[IMGCAP(2)]

Chart 1, above, illustrates the dramatic increase in software vulnerabilities reported to CERT, The Computer Emergency Response Team (see, http://www.cert.org/). In 1995, slightly less than 200 vulnerabilities were reported in all software connected to the Internet. Ten years later, there were nearly 6000 vulnerabilities reported.

Just as commercial anti-virus software has been made simultaneously more complex but easier to use, malicious innovation has made hacker tools, viruses, worms and other malware increasingly sophisticated, yet simple to construct and deploy.

As Chart 2, below, illustrates, 20 years ago, a typical threat consisted of a hacker writing a password-cracking program that had to be manually installed on a PC unbeknownst to its user. The effort involved was high and required sophisticated knowledge and time for the result to take place. In other words, the effort-to-results ratio was low.

[IMGCAP(3)]

Today, powerful virus development kits are available on the Web with visual construction tools. Like a Lego_' set, in a matter of minutes a relatively unskilled user can assemble a powerful program that can be hidden in an e-mail and easily penetrate and disable an unprotected computer. A marginally smarter digital crook can read a hacker blog to learn how to add remote controls, mask the digital DNA signature to get past anti-spyware programs, and pack it into a compressed data stream to bypass intrusion detection devices. Leverage a botnet to spam your creation to 1,000,000 unsuspecting users and the effort-to-results ratio is now very high.

This combination of ubiquitous vulnerabilities and sophisticated hacking tools, coupled with multiple sources of potential profit ' including advertising, piracy, theft, fraud, blackmail, etc ' have created an environment that leaves very little room for network administrator error.

Take patch management, for instance. A scant 6 years ago, network administrators had the better part of a year to protect their systems from
vulnerabilities that would ultimately be exploited by the Melissa and Sadmind worms. By 2005, the window of vulnerability had dropped to 5 days. (See Table 2, below.)

[IMGCAP(4)]

As a result, reliance for security on the integrity of individual machines on a network has become a fool's errand. Imagine trying to secure your home by putting padlocks on all your cabinets and bolting down your entertainment center and appliances. This might help ('defense in depth' is generally a good thing ' think of a wall safe, for example), but surely the more important consideration is preventing an intruder from entering your home in the first place. Protecting the 'perimeter' of your network is therefore critical.

Why Isn't Having a Firewall And
Host-based Security Enough Anymore?

As the primary perimeter device, the firewall should be a good place to start. Unfortunately, what the CSI/FBI survey results tell us is that having firewall, anti-virus and other security hardware and software installed appears not be sufficient in stopping security threats. But how can this be?

There are three reasons that most organizations still experience external computer security breaches, be it a virus outbreak, worm infestation, hacker intrusion, or something else:

1. Lack of Appropriate Protection. Failing to use an intrusion prevention system that would have stopped the spread of a worm. While 97% of firms have a firewall, only 35% have an intrusion prevention system. A firewall is a relatively blunt instrument and there are numerous worms and hacking attacks that can pass through a firewall freely.

2. Improperly Configured Protection. Having a firewall rules-set that inadvertently allows an attack to occur that should have been blocked. Given the complexity of modern networks, this is extremely common. Accor-ding to a 2004 study of the firewalls at 37 different corporations, every one of them had configuration problems. Indeed, 'only one of the firewalls exhibited just a single configuration error. All the others could have been easily penetrated by both unsophisticated attackers and mindless automatic worms.' (See, A Quantitative Study of Firewall Configuration Errors, Avishai Wool, Computer, IEEE Computer Society, June 2004.) While misconfigurations are sometimes the result of lack of training, the more common explanation is that the primary job of the network administrator is to get systems to work. Whether something works or not is highly visible and easy to detect. Whether that system is secure however, can be far more subtle, and does not generally impact the user experience ' at least not until there is a catastrophic failure. As a result, securely configured systems are the exception, not the rule. (See Table 3, below.)

[IMGCAP(5)]

In 2001, the Code Red I v2 worm doubled its infection rate every 37 minutes. Within 14 hours, it had infected 359,000 machines. A daily anti-virus update might have missed this, but hourly updates were probably sufficient.

In 2004, the SQL Slammer worm doubled the number of computers it was infecting every 8 seconds. Within 3 minutes, it was scanning 55 million computers a second for vulnerabilities. Within 10 minutes, it had compromised 10,000 SQL Servers ' an estimated 90% of all vulnerable machines in the world. Hourly updates wouldn't have helped here. Protection now needs to be proactive and in real-time.

Today's Network Attacks
Beg for a Unified Approach

The threat sophistication discussed earlier is currently being combated with a proliferating number of security devices, as listed in Table 4, below. These individual devices address unique aspects of network security such as a firewall vs. intrusion detection and prevention, or anti-virus vs. anti-spyware. They are usually acqui-red incrementally and have little coordination, correlation, or cooperation between them. While each security device might excel at addressing a specific threat, it doesn't work in concert with other devices to tackle blended threats ' sophisticated attacks that leverage the strengths of more than one category of malware. For example, an incoming piece of spam could direct users to a Web site that launches a hacking attack to infect the user's machine with a hidden Trojan that commandeers the computer to infect other computers on the same corporate network, and then connect to the Internet to enlist in an army of similarly compromised computers.

[IMGCAP(6)]

Single-function solutions often fail to identify and repel blended threats because: 1) they do not work in concert with other security components; 2) they may require intensive manual configuration, tuning, and log/report analyses; and 3) they may require frequent updates ' a time-consuming and often confusing activity fraught with human error. Even the largest and most vigilant firms often need hours or days to keep these disparate systems patched, up to date, appropriately configured, monitored and maintained. In fact, research suggests that law firm IT managers can spend as much as 70% of their total network administration time on managing security functions.

These IT sink holes impact all industries, but have become particularly acute in the legal profession that consists primarily of small and mid-sized firms with limited technical resources. Further complicating this, clients increasingly demand their lawyers produce work digitally and be available online. Yet, despite maintaining some of their client's most confidential and sensitive information on their networks, law firms trail behind all other industries regarding investment in network security, according to the CSI/FBI survey.

Lower Cost, More Efficient Solution

In order to overcome the weaknesses inherent in the point solution strategy, a new approach was developed. Termed 'Unified Threat Management' by IDC in 2004, the first UTM appliance was actually launched in 2000.

The concept behind UTM is that by consolidating multiple security functions on a single device, the coordination and integration of these services can increase their effectiveness. Plus, having a single device can reduce costs and administrative burden. Most UTM implementations include a single management interface, as well as a consolidated procedure for obtaining and installing updates.

By including all the major security functions in one place, UTM appliances can ' assuming one subscribes to all their functions ' ensure that there is no gap in a firm's security perimeter from a missing security component. At the same time, the consolidation onto a single box can make providing these services dramatically cheaper than stand-alone solutions.

While implementations vary, the UTM structure promises an additional increase in security by allowing the various security functions to coordinate and interact to further close gaps that might otherwise allow attacks to get through. Tight integration of intrusion prevention with the firewall, leveraging the Web proxy's URL database to increase the effectiveness of spam filters, or using the anti-virus engine to scan Web traffic for spyware downloads, are a few examples of UTM protection.

Tackling the second major contributor to security failure, UTMs generally provide a consolidated management interface. Training requirements are significantly abridged and the reduced complexity of managing multiple components on a single infrastructure helps reduce configuration errors. Nevertheless, the underlying security functions still need to be managed appropriately, so professional security expertise is recommended. Some security vendors actively manage UTM appliances on behalf of their clients.

Finally, by providing a single consolidated update method, UTMs can facilitate the rapid and continual process of keeping the security software patched and threat signatures up-to-date. While the speed with which vendors produce new security updates will still be critical in defending against the latest threats of the day, the UTM framework ensures that vigilant administrators have a streamlined process to work with. The framework provides the possibility of coordinated real-time updates of all security subsystems, although to date this has only been implemented by a few vendors.

UTMs Ease Human Factor

Security is not exclusively a technology problem ' it's a people and process problem. Certainly you need to install technology, but that's only the starting point. What makes a network secure is the continuous proper configuration, administration and maintenance of that technology. Having the world's best door locks won't help if you leave them unlocked, hide a spare key under your welcome mat or leave your back windows open.

Keeping a network secure thus requires vigilance and effort. In a heterogeneous environment with multiple single-function security solutions, this effort can overwhelm IT staff, resulting in either compromised security, reduced resources for non-security activities, or both.

By dramatically lowering the resource commitment required in terms of both time and expense, UTM appliances promise an attractive
alternative to this Hobson's choice of economy or security. Law firms may continue to lag behind other industries in their spending on security solutions, but with the help of UTM appliances, they need not compromise in the actual security of their networks.