IT security is changing: new developments are designed not just to deflect attacks but also to combat intruders that have already penetrated a company’s IT network.
Coinciding with this year's it-sa in Nuremberg, the German Federal Office for Information Security (BSI) published its annual report for 2018, which confirmed what everyone had been expecting: there had been an increase in both the number of attacks and the amount of malware in circulation. This year, malicious programmes have already increased by 200 million over the previous year, and every day another 390,000 new malware variants are added. Most of these are simple variants of known versions, but nobody knows whether and when a dangerous new form will be brought into circulation. Against this background there is a demand for new technologies to counter such attacks. Various solutions were introduced and discussed at it-sa 2018.
One new approach is micro-segmentation, a modification of the familiar firewall, where software agents on important servers and devices analyse the communication streams between machines. The results are then visualised in a second step. Data exchange and dependencies between machines become visible and target and actual status can be compared. Fewer communication options mean fewer opportunities for attack. Firewall rules are therefore automatically produced out of the results afterwards and installed on the computers affected, which reduces the data streams in each case to the task-specific minimum necessary on the server, e.g. communication between database server and clients. According to industry professionals, this technology has proven particularly effective when using cloud services which often have more communication channels open than necessary.
To deploy suitable security technologies it is helpful to look over the attackers' shoulders and ideally control them like puppets. If they have already successfully penetrated the company then at least they shouldn’t be able to do any damage or obtain any critical information.
The new technology solution is known as deception. A digital maze embedded with decoys designed to lure intruders is set up in the company network so that the intruders will get lost. These lures or decoys may consist of access data for administrators, special servers with company files or similar. Technologically, deception is similar to the familiar honeypots that are often used by security specialists to study the attackers’ techniques. Whereas honeypots set up in the internet are used to entice attackers outside the company network, deception targets intruders that have already successfully penetrated the company’s network. As they move through the network, their methods and targets are analysed.
Deception offers central management tools that allow for a spontaneous configuration change or complete refresh of all components. Through a process of virtualisation, the network is also enlarged, making it appear even bigger and more complex to intruders: for example, 3,000 computers would look like 30,000 complex systems. And if that is not enough to confuse them, additional spontaneous configuration changes are likely to drive most of them mad.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.