Perimeter defense has, today, many facets. In the old days (five years ago?) we thought of perimeter defense as something a firewall did. Or, perhaps a firewall and an intrusion prevention system (IPS). Or some sort of gateway. Then we started converging those pieces into smart gateways and next-generation firewalls. That still is fine for the traditional enterprise, but today, we are seeing entire data centers moved into clouds, whether public or private. That begs an entirely different question: How do we protect a perimeter that does not, physically, exist?
Several companies have struggled with this, and there are a few shining stars. However, the real benefits for companies that are hybrids – and that is a very large percentage these days – are that the cloud is both a source of challenge and a source of high-powered analysis. Move the security to the endpoints, continue to protect the physical perimeter of your enterprise and tie everything together, and you have a neat little package of protection.
Our Innovators in this category this year have done that and a bit more. One puts the sensors at the endpoints and does the analytics in the cloud. Lots of benefits to that architecture as you will see. The other is a deep analysis tool that figures out what is hitting the physical perimeter and addresses it without impacting – in fact, usually improving – the performance of the enterprise interface to the internet.
What we really liked about these two products was that they both take advantage of internet resources. In one case, malware checking is taken to a real extreme without adding an included anti-malware product. In the other case, attacks are stopped by aggressive active response.
Are these players innovative? We absolutely believe that they are. You'll need to decide for yourself, of course, but in our years of doing this we have not seen such simple – without being simplistic –effective responses to a couple of serious challenges. With that said, let's get to these folks and see what they have to offer.
Barrier1
This is the second year here for this Innovator. We have been watching them carefully since last year when we were a bit incredulous about their mission: “To stop not only the known attacks but the mutated and never-before-seen attacks for all network traffic types in near real time.” Usually when we talk to returning Innovators, our questions have a sort of“what have you done for us lately” ring to them. You want to be a bit careful when you ask these guys that kind of question, though. The answer is a bit like drinking from a fire hose.
AT A GLANCE Vendor: Barrier1 Flagship Product: Barrier1 Cost: Contact vendor. Innovation: Intelligent threat management. Greatest Strength: Truly creative responses to some of today's most difficult cyber attack challenges.
|
Their mission met the state of the bad guys' art head on this year. It was the year of zero-days and APTs. Barrier1 sees those bits of terminology as somewhat misused, though. APT has become a buzzword and its real meaning – a complex attack against specific targets over a long time – has been lost in the hype. Mandiant brought the term into the general information security jargon with its report on APT-1, the Chinese hacking group.
But there are important issues in real APTs, the most important one in our view being the P: persistence. That is a major aspect of the Barrier1 process: detecting persistent threats using continuous scanning. That goes beyond scanning, though, according to this Innovator. Not only is continuous scanning necessary, intelligent threat management is the key that really turns the risk management lock. By remembering what it has seen and using that as a baseline, Barrier1 combines continuous scanning and intelligent threat management to detect mutating malware – a favorite technique of bad guys to keep the bugs in the system (persistence) and evade discovery.
But the most innovative technique they described to us is their new patented process for responding to distributed denial-of-service (DDoS) attacks. When a DDoS attack hits, Barrier1 returns specially crafted packets that result in a reverse denial-of-service to the attacker. When we asked if they considered this hack-back – something we must not do – the answer was an emphatic“no.” Since TCP packets send returns, all that they are doing is modifying the returned packets so that the attacker simply no longer can send effective DDoS packets. Very clever, very legal and very effective. But then, that is the sort of thing that makes this returning Innovator a strong candidate for next year's Hall of Fame.
MetaFlows
This is a very interesting company and it, too, is a returning Innovator from last year. The easy way to describe what the company does is to say it offloads security analysis to the cloud where it can be processed and where the analysis can take advantage of input from all of the company's customer data. This lets the system react more accurately.
AT A GLANCE Vendor: MetaFlows Flagship Product: MetaFlows Security System (MSS) Cost: Small Enterprise: $2,736/year; corporate/university: $10,972+/year Innovation: Hybrid combination of on-premises sensors and cloud analysis taking advantage of global intelligence. Greatest Strength: Listens to its customers and imagines the future beyond what the customers say.
|
One thing that we liked a lot is its inclusion of VirusTotal as the main malware analysis engine. By uploading malware samples – or suspected malware samples – to VirusTotal, the MetaFlows Security System (MSS) can take advantage of not one, but more than 40 anti-malware programs. In addition, there is no need to update an anti-malware tool since VirusTotal does that automatically.
Another new service added this year was monitoring of bit torrent transfers. That helps protect against upstream liability and keeps customers aware of the file transfers to and from the organization. As well, the monitoring of up/downloads helps spot data exfiltration possibilities. The company has its own honeypots. That add to the intelligence gathered by tying the results of customer data analyzed in a central cloud-based location. Since only metadata is sent to the cloud, there is no danger of compromising sensitive customer data in the name of advanced analysis.
There is a lot of functionality in this system. Such things as anti-malware are, of course obvious, but there also is an integrated SIEM, intrusion prevention and flow analysis. Agents live on the enterprise and communicate with the cloud. They can coexist with other devices or you can add a dedicated appliance, an extremely fast one of which was added this year. The system is designed to support multi-core systems so it fits well with today's computing environments.
While the technologies at play here are quite forward-thinking and innovative, one important area that we cannot forget is how the company determines what to include in the offering and how it gets to market. MetaFlows is good at listening to its customers and then figuring out what the next big need is going to be. This keeps them consistently ahead of the curve and is, itself, an example of the company's innovation.