17 October 2016 | 0
Using this kind of operating protocol, it is relatively easy to establish guidelines for certain kinds of access. For example, it is not difficult to say that personal devices used in the workplace can only have access to the Internet but not to the internal network, whereas people using corporate assets can get full access to all resources.
“With rapid threat containment, for example, if the system spots some traffic that is suspicious and that might be in violation of policy, then it can tell if it’s a registered user with a corporate device at the right time of day, accessing a resource that they are allowed access,” said Davitt.
“But if they are not doing it in the right way, the system will remove the user from the network, or put them in a quarantine zone and will capture the packet of data being sent. That way, it can do more analysis and see exactly what the user is doing.”
An example of an anomaly might be based on the user’s typical traffic pattern. If they normally send 100 megabits on the network every day and are suddenly receiving 15 gigabits of traffic, then that’s an obvious anomaly.
“Perhaps that person is going to leave the organisation and is downloading the latest products or development files or whatever it happens to be. All of this is possible now with multiple physical products. We have opened that sort of integration up to other companies as well. And there have been quite a few that would traditionally have been seen as competitors of ours that have actually signed up to integrating with that whole sort of approach through our identity services engine,” said Davitt.
A growing range of adaptive security products are becoming available on the Irish market and one of the most recent is Cylance, which is offered in Ireland by Netforce.
“It’s built around artificial intelligence and uses a complex system to tie together virtual machines hosted by Amazon to create a virtual supercomputer. Rather than using a database of signatures to find and thwart attacks from malware, it recognises what malware looks like,” said Larry Doyle, IT infrastructure and business solution architect for Netforce.
“It knows how malware typically behaves, so it as soon as it arrives on the system it recognises and neutralises it.”
Cylance uses recognition points that indicate aspects of behaviour rather than needing signatures, allowing it to learn as it goes. It also uses a database of signatures in the back end, and as new variants of malware are identified, it is capable of assimilating that information into its own system.
“The engine will grow stronger and stronger over time as it learns more. It’s thought that the first time that the ransomware Cryptolocker was released onto the net, Cylance would have stopped it based on its behaviour and before it had been identified,” said Doyle.
According to Doyle, adaptive security is becoming more common in Ireland, but there are still many companies relying on antivirus and firewall software that will become increasingly unfit for purpose.
“There are many different products around but it’s going this way because this is the next evolutionary step for IT security. We’re trying to educate people that traditional antivirus isn’t good enough anymore. But it’s still common to work with companies that fall foul of malware attacks but are slow to upgrade because it can be more expensive. But that’s part of the business, educating people that this is how things are.”