Migrating Security into the Network

Every day, the news validates that Internet threats have gotten more numerous and more sophisticated.  Existing security solutions have served us well, but there are holes that must be filled.  Just as attackers are relying on the power of the Internet to maximize the effectiveness of their exploits, so must security protections move into the network to maximize their effectiveness.

Today, web-based exploits depend on luring unsuspecting victims to servers controlled by attackers.  Spam is the primary vehicle for doing this, and spammers now employ sophisticated social engineering to provoke clicks on links that allow them to collect valuable confidential information or download malware.  Internet service providers go to great lengths to filter spam, and most capture well above 90 percent of it, but billions of spam messages are still delivered. 

Social networking sites are another effective malware delivery vehicle and have the advantage (for attackers) that users tend to be more comfortable at sites they are familiar with.  Users are thus more apt to click on links without carefully scrutinizing them.  Although site owners carefully screen new postings to look for malicious links, screening is not 100 percent effective. And the scale of the problem is huge, with tens of millions of new pages every day.  Spam and social networking sites are just the beginning; the mobile Internet is the next untapped frontier, and attackers are actively repurposing their infrastructure to target it. 

Every successful business requires distribution and delivery of its product, and web exploits are no different.  As discussed, social engineering coupled with spam, popular web sites, and soon the mobile Internet, provides ample distribution.  On the delivery side, smart attackers employ other tricks to maximize the return on their malware investments.  The first is changing the IP addresses of their servers regularly to make them as hard as possible to discover and take down.  The second is designing their malware so it can be altered easily to evade the filters designed to detect it.  Both tricks are easy to execute and cost virtually nothing.

Collectively these techniques give attackers many hours or days before their sites are tracked down, the malware they serve is analyzed, and a signature is developed and then downloaded and installed on millions of Internet devices (for many devices this may not happen at all).  Attackers rely on this latency advantage because in the time between an exploit is launched and protections are installed, they can take advantage of hundreds or even thousands of users.    

It’s time to take these advantages away from attackers, and service providers are uniquely positioned to do it with security protections in the network.  One clear advantage of this strategy is that protections can move from being reactive to being proactive; they can prevent users from visiting malicious sites and giving up confidential information or getting infected with malware in the first place.  Instead, when users click on a malicious link they can be sent a “teaching page” that explains the danger and offers additional resources to inform them about security. This is vastly better than allowing a download and hoping the malware is detected before any real damage occurs.