Blended threats. What are they, and why is it so vitally important that security professionals wake up to the dangers they pose on the network sooner rather than later? Bruce Hendrix concludes that end users don’t just need anti-virus on a security appliance. They must have spam filtering, VPN, firewalls, URL filtering, web caching, local logging and unified management into the bargain.

2004 HAS WITNESSED A RAPID RISE IN THE number of random virus attacks, with MyDoom and SoBig.F just two of the high profile ‘strains’ to have wreaked havoc (‘Virus Eye’, Secure IT, SMT, April 2004, pp49-50).

Both are classic examples of what’s known as a blended threat. An attack that combines multiple characteristics such as worm, virus, spam and intrusion. Cisco recently made an announcement that it will incorporate Trend Micro virus and worm technologies within its intrusion detection system software used on routers and switches. Excellent news for anyone concerned with IT security!

Given the rise in more sophisticated blended attacks a more proactive approach to security such as this isn’t just necessary. It’s vital.

An all-in-one type of approach

While it’s welcome news, Cisco’s decision just doesn’t go far enough. It provides only part of the solution. Companies don’t only need anti-virus on a security appliance. They also need to consider employing spam filtering, VPN, firewalls, URL filtering, web caching, local logging and unified management.

Once a blended threat attacks, it penetrates the edge of the network and embeds itself onto a client system, replicating and propagating rapidly. The most high profile example of this breed of virus is MyDoom, which uses extremely complicated and evasive blended threats that disparate point security solutions simply fail to defend.

For end users, the best solution to the problem is to deploy – at all edges of the corporate network – an integrated platform with a dynamic auto-update capability for anti-virus, spam and URL protection. That is the fastest time to lockdown available today.

The truly integrated security platform (in which all the applications talk to each other and do a spot of pattern matching against a full context inspection network filter) ultimately offers the best automated defence against destructive blended exploits.

Windows of opportunity

As security threats change so quickly, speed of time taken to close the windows of vulnerability is absolutely key. MyDoom exhibited several different variants within a 24-hour period, which effectively means that if you don’t have real time response then your actual response time to the changing make-up of a virus is truncated. Integrated platforms with automatic update capability caught MyDoom within three hours of its release (or an 800% faster rate of time-to-protection). This severely limits the potential damage of an attack, and helps to contain any further internal outbreaks.

The greatest intrusion around at present is a worm wrapped inside a virus deeply embedded in a spam attack. The best prevention strategy for this is a multi-threat management system that closes the gaps between the network and application layers. IDS/P stand-alone or point solutions aren’t effective without the full integration of network and application layer attack prevention onto one dedicated, hardware-accelerated device which is purpose-built for multi-layer security.

On average, pre-integrated applications and functionality that can be turned on like electricity in a grid, that are modular and provide tighter security – thus limiting any potential for damage – have a much lower total cost of ownership

Further, a fully-integrated, contextually-aware approach to IDP makes much greater sense than a stand-alone solution because the technology can easily automate rules-based preventive actions (rather than installing an after-the-fact detection alert system which requires heavy human intervention and an unexpected cost for preventive action and/or forensic activity).

At present, a full-blown IDS/P solution is very expensive and inordinately complicated for all except the very biggest organisations and, in many cases, remote or distributed large enterprise locations where an integrated, dedicated system is easier and more cost-effective to deploy, maintain and update.

Not only are all-in-one solutions more effective at fighting blended threats, they’re easier to manage and more cost-effective, too. One of the great benefits of a consolidated platform approach to security is the cost advantage inherent in acquiring, deploying and maintaining one system from one vendor that performs a wide range of functions.

On average, pre-integrated applications and functionality that can be turned on like electricity in a grid, that are modular (allowing customers to pay as they grow) and that provide tighter security – thus limiting any potential for damage – have a much lower total cost of ownership. Typically as much as one third less than comparable point solutions.

Waking up to the dangers

Many businesses have neither the resources nor the expertise to manage and maintain disparate security solutions from multiple vendors. The consolidation of security into a dedicated appliance is an obvious solution, not only for the client premises deployment but also as a network-based managed service.

However, the biggest single challenge faced is educating the end user on the limitations of conventional firewalls, software-based or fixed-function appliances that lack the application intelligence, performance and integrated content security to defend against today’s most threatening exploiters.

The industry needs to wake up to the danger blended threats can pose – and the solutions available to combat them – or we’re going to witness damage on a scale that will make MyDoom seem like a walk in the park.