Breach Detection Systems (BDS): Is this the Answer for Zero-Day Malware?

Finally, something to shake up the network security space: the breach detection systems (BDS) “next generation” threat protection mechanism. The term was coined by NSS Labs to describe an emerging group of security solutions focused on the detection of intrusions caused by targeted persistent attacks (TPAs) and on other sophisticated threats that are designed to harvest information from compromised systems.

“Wait a second,” you say, “isn’t that what my next generation firewall (NGFW) and my next generation intrusion prevention system (NGIPS) are supposed to cover?” Well, yes, to a certain extent the NGFW or the NGIPS products could cover TPAs, but only if they had a signature or a filter associated with a specific attack. Furthermore, security vendors must determine the best way to provide coverage once the attack is discovered. This is not to say that NGFW and NGIPS are ineffective, but there are only so many features that can be jammed into a platform before it experiences technology bloat, ending up as a jack-of-all-trades and master of none. Following the obvious trend here, maybe we should have called BDS next generation intrusion detection systems (NGIDS) instead!

The BDS, NGFW and NGIPS products are similar in that all three can contain signatures and heuristics for identifying malware. However, a BDS separates itself from the pack with its ability to analyze the patterns of network traffic, identify malicious domains, and model the behavior/impact of files that are being downloaded and executed on an attack surface. In some cases, BDS vendors are able to detect zero-day malware at various stages of propagation, and provide remediation. The ability to identify still-unnamed malware on your network is almost like having your own zero-day research team on site.

NSS has identified 4 areas to watch in upcoming BDS testing:

1.  Breach detection capabilities using one or more of the following methods:

  • Malware identification (signatures, heuristics, or both).
  • Network traffic analysis (flow monitoring, content analysis, or both).
  • Sandboxing that allows for modeling internal systems (workstations and servers).
    Browser emulation.
  • Domain reputation to identify malicious domains.

2.  Response mechanism (for example, alerting, session termination).

3.  Centralized management of multiple devices.

4.  Reporting.

Depending on the vendor, some BDS solutions require one or more of the following deployment methods:

  • A network appliance (typically deployed as a passive sensor, like an IDS).
  • Endpoint software.
  • Cloud-based analytics to identify, classify and assign the proper indicators to the malware.

BDS solutions have been around for almost a decade, but it is only with the recent increase in TPA’s that they have gained traction. Part of the slow rate of adoption is due to the processing power required to do things like sandbox analysis, meaning these devices are still not ready to be deployed in-line with real-time inspection. Despite this, I predict that the deployment of BDS will be a part of any enterprise’s best security practices within the next 12 months.

For insight into whether BDS lives up to its promise, or whether the next security silver bullet turns out to be just another white elephant, stay tuned for the results of the first round of NSS’ BDS testing, due July this year.

More information regarding the NSS BDS testing methodology can be found here, and for more information on BDS and its technological challenges, see the analyst brief “Breach Detection: Don’t fall Prey To Targeted Attacks” (free of charge). Follow me on Twitter (@jopirc) to keep informed as new research is released.