If security engineers could simply pool their intelligence, wouldn't that help thwart Internet clients' access to known, malicious agents?
Check Point - the producer of security appliances and software that came to prominence after its acquisition of ZoneAlarm - takes a key step toward building a collective detour system for malicious agents, with something it calls ThreatCloud.
Technically, it's an easy thing to shut off browsers' access to sites whose IP addresses come up on a blacklist; but in practice, it's harder to convince users to pay attention to these warnings than it is to tell them they've won a free iPad and to click this link to claim it.
So what if the security industry could essentially say, if we know this site isn't a good one, let's build technology that makes it inaccessible? Well, we've seen what happens when Congress tries to enact this concept through legislation: We get SOPA. But when you take the lobbyists out of the picture, perhaps suddenly it's a good idea. At least, that's the idea behind ThreatCloud.
"We've had monthly, then weekly updates. But now you almost need up-to-the-minute updates with threat intelligence," says Fred Kost, Check Point's head of product marketing, in an interview with ReadWriteWeb. "It's not just one single piece of intelligence; you really need that multilayered, multiperspective view. So with ThreatCloud, we can collect information from our Check Point security gateways and bring it up into the cloud. The second way we get that information is through Check Point sensors, which are deployed through publicly facing places, strategic locations where we can get a view of traffic and things that are going on. These are dedicated sensors that we've managed to get placed in the network around the world."
Through this new system, Kost says, Check Point was able to scan 250 billion IP addresses, combining various sources of behavioral intelligence to isolate specific ranges of some 300,000 addresses. Some of the intelligence the company receives is machine-readable; other parts require human analysis. But the product, for now, includes some 4.5 million malware signatures - a number which can now grow daily.
Check Point calls its endpoint software components "blades," which can be a bit confusing for folks who expect a blade to be a server or even an appliance. Competitors call similar classes of components "virtual appliances." The idea, Kost explains, is that his company provides security products and services through a platform, and a blade is an attachment to that platform. Depending on how the data center is set up, that blade may manifest itself as a physical or virtual appliance.
The company's anti-bot software blade, announced last October and released this week, will enable the new ThreatCloud to amass information about botnet-driven infections. "We have multi-tier discovery, so we look at the command and control behavior of the bots - we look at the IT address that it's trying to connect up to URLs it may be using... and sometimes it's the communication pattern," says Kost. "We may see weird DNS or weird HTTP communications, so there may be behavioral things in the way the bot is communicating. So we may not know exactly the destination IPs of its control network, but we may know the behavior and we might see that bot launching spam from an endpoint.
"The important part is, once we've discovered it, we can actually shut off that connection to that command and control network." Severing communication to the suspicious IP address, he asserts, renders the botnet ineffective. The behavioral data then remains in an auditable form in the cloud, enabling Check Point to assist in forensic investigations.
Could this level of intelligence be used to cut off access to suspicious IP addresses at the network level? "Absolutely," responds Kost, "and you can see where our service provider customers might be very interested in this.
"There's been the notion of 'clean pipes.' If you're a service provider moving traffic around, your ability to make sure your community of customers isn't part of a botnet is a value-add to them, as well as to the network operator. You could envision a case where a service provider might use this to have a cleaner network and stop bots."
The enablement of ThreatCloud comes by way of a rollout this week of a new operating system for that platform (most platforms do have something that qualifies as an operating system, and here Check Point opts not to use a euphemism). The rollout - which goes by the unromantic title R75.40 - contains a newly merged OS architecture called GAiA, which has been in testing with enterprise customers for about two years.
One of the potential benefits of this operating system to the IT department is a GAiA feature within Check Point's management blades called SmartLog, which is essentially a simplification of how logs are presented. Since a log is a database, its reports should be rendered and sortable like a live database.
"SmartLog's focused on taking very large log files, with billions of records, and making them 1) very fast to search, and 2) very easy. So you get split-second, Google-like search capabilities," Kost explains. In prior versions of the product you might have actually had to write a query, run it against the log, and retrieve a report full of pages of results. "Now there's a Google-like search bar, and you can give it contextual words - like 'Scott remote access' - and it'll bring back anything that is remotely related to Scott that spans these billions of log records very, very quickly... It makes it much easier for customers to parse through these billions and billions of log files."