|
article page | 1 | 2 | 3 |
to attack others. You can buy bots and botnets and bot armies for so many dollars per site or so many dollars per location. It's pretty interesting when people can make money helping people attack other people, but I guess that's what Smith and Wesson did with the gun business.
Pipeline: We talked a bit about some of the types of attacks out there. Obviously, in order to attack major carriers or government agencies, attacks need to display a bit more ingenuity than most. Are there specific trends you're seeing?
Oslan: I think the biggest trend we've noticed is that these are typically well thought-through and well planned. These are not people who woke up one morning and decided to spend a few weeks hacking. These involve months and months, in many cases, of planning. They've been spending |
|
If you're getting lots and lots of false positives, and twice a day telling your customers that there's a worm coming when there isn't one, it makes you look pretty bad. |
|
self-replicating, but self-morphing. Viruses themselves have diminished in their ability to do harm. It's been driven to the desktop. A lot of that has been handled by desktop antivirus software. It may be malicious and dangerous, but you don't see many people complaining that a virus crashed their hard drive. We've seen a lot of movement from the desktop to the network. That's why the carriers are now so focused on preventing this kind of attack.
Pipeline: One thing I hear from companies like yours is that they reduce the levels of false positives. How big a problem are false positives?
|
|
|
|
years, potentially, probing and finding vulnerabilities, and then going out and building, in the case of broad DoS attacks, bot armies. In the case of intrusions it's very similar. They're looking for vulnerabilities and looking for holes. Once they find it, they often don't attack right away. They think about how to exploit the vulnerability. Is it information they want to take down or do they just want to watch that site for the future? It's a new cold war. How fast can you get in and be undetected and how fast do they detect you and shut you down? It's not unlike when Russia used to see how far their fighters and bombers could get into the Alaska airspace before we responded and chased them away. It's a very similar environment.
Pipeline: So we're still seeing distributed denial of service (DDoS) attacks and worms?
Oslan: New kinds of worms. Polymorphic worms that can take on new shapes and new capabilities that we may not have seen before. You have some that are not just |
|
Oslan: Large, because it's expensive. There was a time when it was okay to overreact to intrusions or worms, but now that we're five or six years into it, and SPs have huge staffs dedicated to preventing this, they're noticing that it's awfully expensive for 15 or 20% of the instances to be wrong. Also, CSPs are moving into an environment in which either they're providing security services to their customers, or their customers are demanding service level agreements that guarantee a certain level of performance related to delivering clean traffic to them. If you're getting lots and lots of false positives, and twice a day telling your customers that there's a worm coming when there isn't one, it makes you look pretty bad. It's a big issue and one that needs to be solved differently than problems in the past. You need traffic visibility. You can't do this a link at a time. Spikes in traffic, particularly large and sudden spikes in traffic, trigger alarms because something is different. Now you've got to determine if that difference is caused by something normal or by something abnormal.
article page | 1 | 2 | 3 | |
|
|
