It doesn't take a 100-page security report to know that security threats are rising every day. From profit-driven spambots to increasingly sophisticated virus attacks, IT is expected to fend off a rapidly growing number of threats.

Do you remember hearing about the Aurora attacks? Over 100 companies were hit by sophisticated, targeted attacks, the most publicized of these attacks being the one administered against Google.

To sum up the scenario, security companies have had to face the grim reality that intrusion detection systems (IDS) are unable to prevent highly targeted, sophisticated attacks such as the Aurora attacks, leaving all potential high-profile targets (government agencies and large enterprises) with a new and frightening threat to deal with. To combat specifically targeted threats, a more targeted response is needed.

We'll explore the reasons IDS solutions fall short—and what one company is doing to combat these advanced persistent threats with a new open-source solution—below.

Why IDS Solutions Fall Short

IDS solutions are increasingly robust, and are hosted by large, powerful companies with access to the latest security threats. These companies move quickly to update their solutions to combat growing needs, and work hard to earn your trust. So how could these solutions fall short in handling certain security threats?

According to Matt Olney, Senior Research Engineer for Sourcefire, the problem is related to a matter of scale. "The problem with any sort of wire-speed detection system or IDS is that you're trying to push 10 Gbps of throughput through your device but you're also trying to mimic the actions of hundreds of thousands of PCs behind you. An example would be a PDF file—to adequately secure the file, you have to have the entire document, be able to decode certain sections, uncompress certain sections, and do the detection portion of the scheme. And when you're trying to do that at wire-speed—when you're trying to push 10 Gbps and you've got hundreds of thousands of clients behind you downloading PDF files—that's a very challenging problem."

Razorback Lets You Hone In

According to Olney, there's an increasing need to support customization at a complex level. As an open-source framework, Sourcefire's new Razorback solution gives organizations the freedom to carefully monitor and pursue specific vulnerabilities, letting them better scope out specific attacks that may be targeting only a limited audience (or maybe only that one organization or agency).

"We talked to some very high-profile targets to see what they needed, and what they said they needed was to be able to take aside information off the network and delve into it without the restrictions of keeping throughput up and not dropping packets," said Olney. "What we've ended up with is what we call a framework—the core of this system is only responsible for getting data from a collection point to one or more detection systems, and that's all that Razorback does at its core. It has a dispatcher and that's a defense routing system. All the capabilities from the detection perspective hang off that framework, and we call them nuggets. You can have detection nuggets, data capture nuggets, output nuggets, correlation nuggets, and a whole bunch of different types of functionality."

Given that security is just a word to me and not a way of life, I was looking for a way to wrap my mind around how Razorback would work in the real world. So, I posed this question: If a standard IDS solution is like a police task force, would Razorback be like a SWAT team and the CIA?

Here was Olney's response: "Actually, that's not an entirely inaccurate assessment. \\[Is that supposed to make me feel good?\\] Both the SWAT team and the CIA are features inside of it. It's SWAT in that the detection we expect people to use it for is exceptionally deep and exceptionally detailed. The outputs for our system are very granular—they will provide back the original PDF files, the block of javascript in that file, where exactly we saw what was wrong, and in many ways we'll be able to extract the shell code that the hacker was trying to run and tell you what would happen if the attack was successful. And from the CIA perspective, we actually capture targeted forensic data on mail and web traffic so you can look into the past and look back for indicators of attack in the rear. So if you find out a URL is bad, you can look back to everyone who visited that URL in your organization."

On the next page, explore more specific use cases for Razorback and see where you can download the product for yourself.




A Tool for Standard Shops and Up—Way Up

I'm not going to lie: In discussing Razorback with Sourcefire, I felt like a nosey guest snooping around top secret files. The company could tell me very little about Razorback's client base, as many of the organizations seeking to implement the solution are high-profile government agencies. These are the types of organizations that, on a daily basis, are being personally targeted by ne'er do wells around the world.

But as we've seen with the Aurora attacks, you don't have to be the Pentagon to have someone set their sights on you. And besides, according to Olney, there's plenty of value in Razorback even for smaller organizations.

"The security guy who's also the IT support guy—this system would be useful because the output from it does all the work that he would have to do. That individual may not normally have time to build his reverse engineering or PDF analysis skills up to the level that some dedicated practitioners have, but he still has a good understanding of what the threats are," said Olney. "So by doing a lot of that analysis for him and by not discarding it, that allows him to use that intelligence to support his own in-house response system."

In discussing Razorback in depth with the guys from Sourcefire, one thing became pretty clear: What Sourcefire is seeking to do with Razorback—providing a framework for agencies to make real headway toward developing solutions to the most sophisticated threats—couldn't happen with a commercial solution. Through the personal efforts of the agencies and organizations that are being targeted, we can learn more about the methods hackers are attempting, and what to do about them.

But what's in it for Sourcefire, a for-profit organization, creating a free, open-source solution? According to Matt Watchinski, Senior Director of the Sourcefire Vulnerability Research Team, it comes down to what it means to be a security company. "Innovation only comes from people having a problem and the ability to solve it. If you want to solve real tough problems, you have to have the time solve it. If we can't fix customer pains and problems, then what are we doing?"

Click here to download the Razorback solution. Or to learn more, visit Sourcefire's website


Related Reading: