How does the government detect network attacks, and how does this relate to Homeland Security? In an interview with GlobalPOV, Mr. Jim Melvin from Mazu Networks describes how ‘threats’ are detected, and explains why government agencies have some work to do in terms of securing networks.

GlobalPOV: What does your technology do?
JM: Mazu Networks has been in business for approximately two years. It was founded with technology out of MIT – and focuses on deep understanding and statistical analysis of network traffic profiles, and then detecting anomalous behavior from looking at those traffic profiles. The tieback to the topic that you’re looking at is that homeland security vs. privacy very much has to do with the technology that we’re bringing to bear in major enterprises and government agencies today.

Enterprises and government agencies alike need to do a better job than they have been doing with regard to securing their networks because these networks represent the critical link to all databases, servers, routers etc. on which sensitive and mission critical information can be found.

What Mazu’s technology helps people responsible for managing against cyber attacks understand is when “suspicious” activity is being conducted on the network. For example, if Mary in manufacturing is trying to gain access to confidential HR databases that contain salary records of all employees, matching that traffic against baseline traffic could help detect the “attack” without having to crack open his information on the network and review what is inside. Therefore, a level of privacy is still maintained without sacrificing the integrity of the data on the site.

GlobalPOV: So if you break certain criteria, you effectively surrender your right to privacy?
JM: To a certain extent, yes. With our technology, we just look at the pattern of network traffic – we don’t crack open that traffic and read what is inside.

GlobalPOV: Would this break in anomalous behavior – would it trigger a request for authentication?
JM: Yes, but these can be deployed in a variety of different scenarios. It might be as simple as a request for authorization. But if it’s a violation of a more severe type – where there’s a critical asset in jeopardy of being tampered with or stolen – then access might be denied, or an internal network alarm might be set up.

GlobalPOV: So you’re dealing with corporate enterprises?
JM: Yes – large enterprise and government networks. Generally, the larger the network, the more complex the situation, and the more difficult to secure both network services and assets.

GlobalPOV: What type of network activity would the government be looking at in terms of identifying anomalous behavior?
JM: There’s really two general types of malicious behavior that any organization – government or enterprise – should look at. The first type of malicious behavior might be an automated launch of a virus or worm that attempted to render network services unavailable. So in this case, someone is maliciously attempting to do damage to a network – and that would show itself as an availability issue, and would have an impact on the productivity of whatever service that is. The second type of malicious threat would be an employee – generally a trusted individual – who is seeking to have access to data that they might not have been authorized to get. And so their intent might be to misuse that information in some way.

GlobalPOV: What do you think about the consolidation of all these disparate government databases and the sharing of info among all of these government agencies?
JM: I think it’s a complex situation – but that there are many benefits to be had by doing so. Being able to really understand the data flow and traffic patterns is critical to being able to provide the levels of security necessary to protect sensitive information related to our government and our nation’s critical infrastructure. On the other hand, centralization of such vast and valuable assets is, in itself, a significant task to be managed … and, frankly, brings up other security risks on its own.

GlobalPOV: What exactly is your role with government agencies? Are you a piece of this homeland security puzzle?
JM: We work with a couple of different government integrators who are supplying systems directly to the government to secure large network deployments. In many ways, these government scenarios don’t vary vastly from major enterprise scenarios. While we do not fit into more of the CIA-type intelligence of actively looking for external threats, we also help them keep an eye on their mission critical internal services – email etc. – and keep those online.

GlobalPOV: How would you define “anomalous” activities? Who draws up the rules or boundaries?
JM: Mazu has the ability to detect anomalous behavior based upon the normal traffic patterns for a given network. Network traffic flows today have become almost incomprehensible to individuals who try to manage that information. Once our technology has been on a network for more than a day, it can build a statistical profile with regards to normal traffic patterns, meaning, typical traffic flows – ebbs, spikes, peaks etc. are recorded and anything detected outside of this baseline is investigated as a possible attack. You always run the risk that something malicious was going on during that profile time – so someone goes back over the data to make sure that your initial profile was valid. But once that’s established, you can then look for anomalies in the traffic. Those might be things like individuals accessing database servers that they’ve never accessed before, or at a rate in which they’ve never accessed before, or establishing new connections across the network. Generally, these major government or enterprise networks do follow certain traffic profiles once they’re established, and they evolve very slightly over time. Our technology has the ability to learn and adapt to these shifts, and to detect significant trend changes … which have a tendency to be threats.

GlobalPOV: What would a privacy advocate get up in arms about here?
JM: This might be an interesting angle because it’s a reasonable technology to use without intruding on someone’s privacy.

The reason that I think this is an issue is that the other methodology – more of the static, state of the art, if you will – is that current security solutions have to literally unwrap and look inside packets in the network, study their signatures and look for malicious traffic that way. That might be considered to be more of an intrusion on your privacy. By monitoring traffic flow, we can provide significant security measures without actually cracking open their emails or network requests and therefore minimize intruding on people’s privacy … until they are identified as a possible threat.

GlobalPOV: What happens when someone who is not necessarily posing a threat is pulled out?
JM: That’s up to each individual user at an organization.

GlobalPOV: There’s a bigger risk here than cyber attacks or denial of service, right?
JM: The biggest risk that any large organization faces is generally coming from within. What we’re seeing is that major enterprises and government agencies trying to detect when malicious things that are happening with their network. They need the capability to understand the sophisticated nuances of network traffic and pull out the anomalies.

GlobalPOV: Where would you identify the shortcomings of the previous technologies in identifying possible risks and mitigating risk?
JM: There are two issues with the previous technologies. The first issue is that they can only detect threats that have been previously defined. So a given technique for taking data or a given threat or virus can be seen … but it cannot detect a new virus or a new way of doing damage to the network. The other problem with the current technologies is that the amount of false positives that are being given off are too great and too unmanageable. Unmanageable to the point where if companies were to truly try to track down what looks like a possible attack, you would have a significant issue – because you would be checking out way too many people that don’t need to be. Major enterprises have on the order of millions of alerts per day being brought up by the current technology, and it becomes unadministratable. Our technology is finer tuned at detecting threats that have not been detected before, and dramatically reduces the false positives.

I would say it would be a great concern – using signature based detection and looking for patterns has many drawbacks to it. It generally never gets to the over intrusion on privacy, because it’s simply unadministratable from the standpoint of the amount of manpower required to do it.

GlobalPOV: Are there any attitudes or lack of awareness by government agencies?
JM: There’s a macro shift in technology coming with regards to our ability to protect our network services and assets. I think that IT or security managers across the government and commercial spaces need to step back and reevaluate what they’ve considered to be status quo with regard to securing their networks. For years it has been about protecting resources from the outside world – strengthening the perimeters surrounding the organization. Now it is about looking within and protecting resources from those who many organizations would deem as “trusted.” To do this, these organizations need to first understand a network in a healthy, normal state so they can quickly spot abnormal suspicious behavior and take appropriate steps to mitigate an attack or damage, which is caused from lost assets.

• Respond on the Message Board
• Back to Previous Page