Can Network Intelligence Technology Lower the Risk For Cyber War?

I just read the latest article about Stuxnet: The Triumph of Hacker Culture - http://www.slate.com/id/2281938

Here is a quote: “The implications are vastly unsettling. If a Stuxnet-like worm can disable Iranian nuclear manufacturing controls, there is reason to be concerned that a similar or more highly evolved worm (devised by the much-feared Chinese military cyber corps, perhaps) could seize control of our nuclear missile launch-control capacity. Maybe not yet. But the potential can't be ruled out.”

Scary…

For those of you who haven’t followed all the details about Stuxnet, the common theory is the following:

• Israel + US developed Stuxnet in order to delay Iran nuclear weapons program, since it was deemed less risky than bombing raids
• Stuxnet is seen in cyber sec / SCADA circles as the first offensive, state-sponsored, weaponized malware of a new generation
• The fear is that the Pandora box is now open, and that adversaries will retaliate in kind

See here for a Wired article: http://www.wired.com/dangerroom/2011/01/with-stuxnet-did-the-u-s-and-israel-create-a-new-cyberwar-era/

Some people believe that China could be behind Stuxnet: http://blogs.forbes.com/firewall/2010/12/14/stuxnets-finnish-chinese-connection/

In any case, I think we will see more focus on SCADA cyber defense.

What does this mean for Network Intelligence Technology?

Even the new generation weaponized malware uses IP networks to spread itself and communicate. In the case of Stuxnet, "Updates to this executable would be propagated throughout the facility through a peer-to-peer method established by Stuxnet." See http://www.zdnet.com/blog/security/stuxnet-a-possible-attack-scenario/7420?tag=rbxccnbzd1
At Qosmos, we are experts at decoding traffic. If we don’t recognize a protocol, it would be classified as “unknown”, which in itself is highly suspicious in a sensitive environment. A cyber defense solution can be configured to block all such traffic instantly.

Seems that Qosmos can provide the traffic visibility required for defense against new generation malware. It is our way of lowering the risk of cyber war.

JT

Cyber security artists need the right tools

It has become evident to me that cyber security is an art, and like any other art, it has artists who need the right tools.
At Qosmos, we work with cyber security teams who protect very sensitive networks. These security analysts typically work in a Security Operations Center (SOC), monitoring traffic and checking for suspicious activity, such as:

• Services or encrypted traffic on non-standard ports 
• Referring URI, which can be used to detect Phishing software loading partial content from a real site
• Many (hundreds) of “IP gets” from black-listed countries
• Specific malware file names (e.g. shell.exe)
• Suspicious malformed traffic

Best practice cyber security filters out known threats with COTS cyber security products (AV, Firewalls, etc.) and focuses investigation and analyst time on 1% suspicious traffic only. So, what tools do the analysts need?

• Information feeds in the form of logs and traffic metadata
• Search and analysis capabilities

Logs are the obvious source of information to investigate potential security breaches. But a recent trend is to complement these logs with communications metadata, representing an additional source of real-time information.

Examples of communications metadata which are relevant for cyber security:

The advantages of metadata:

• Not only do good metadata complement logs, they are also MORE valuable than full packet payloads to identify patterns! As someone said to me: “sometimes, you can’t see the forest (situational awareness) for the trees (packet payloads)”
• In addition, metadata require less storage than full packet capture which means that historic info can be kept for longer time periods (months) than full packet capture: this means much stronger investigative capabilities.
• Metadata also enables much faster forensic search, with the ability to search 2TB of data in less than 2 minutes!
• Finally, metadata can be used to index flows and packet contents

Example of a best-of-breed cyber security tool case
A tool case can be built on Qosmos + Splunk. In this case, Qosmos does the protocol decoding up to Layer 7, providing complete visibility of all network traffic and applications, independently of ports. The extracted protocol metadata is indexed by Splunk in addition to log information. Splunk is then used for search, statistics and GUI.

Example of Searching for Suspicious Network Activity by using Qosmos + Splunk
 

Let’s give cyber security artists the tools they need to exercise their art!

Jerome

Network Intelligence: Coming Back to Qosmos

It is interesting to see the increasing interest for embedding network intelligence software into solutions. At Qosmos, we have been speaking to network equipment suppliers, ISVs and systems integrators for years. Which means that many of them have known us for years. However, during the initial discussions, many of them tell us that they have DPI skills internally, and while Qosmos technology is really impressive, they don’t need to source externally. “No problem”, we say, “but don’t hesitate to contact Qosmos if you change your mind”.
We now see more and more companies coming back to Qosmos.
Why do they come back to us? The reasons are simple:

• They find it increasing difficult to keep up with ever-changing protocols and applications
• They face challenges in scaling existing solution to network speeds beyond Gbps
• Resource constraints force them to focus all their energy on their core business (which is typically to build solutions, not enabling technology like DPI or Network Intelligence)

This is typical for new high-tech markets: initially, high-tech vendors will build everything in-house, because 1) it’s not too difficult and 2) there are no external suppliers. Think of databases: initially, all IT vendors built their own databases in-house (for example IBM DB2). Then vendors moved to source database technology from specialists like Sybase, Informix or Oracle. Same thing for micro-processors, which was initially developed internally by computer vendors, but is now sourced from specialists Intel and AMD.
There is now a similar trend with DPI and network intelligence technology: the market is shaping up for the benefit of everyone.
Welcome back : we are happy to work with you!

JT

The Dilemma of Government Cyber Security: Ensuring Strong Protection While Keeping Costs Down

Imagine the following situation facing teams responsible for government cyber security: cyber threats are increasing in both numbers and complexity; and at the same time, government budgets are under pressure. Difficult equation…

Government IT teams in all countries are required to use more Commercial Off the Shelf (COTS) products in order to keep costs down. This may be OK for the majority of IT services and equipment, but when it comes to cyber security, it doesn’t always work. Relying only on COTS cyber security products can jeopardize national cyber security, since the features and capabilities are publicly known. This means that adversaries can devise attacks to circumvent COTS cyber security solutions.

Here is how Qosmos solves the dilemma:

1. We represent a “COTS traffic decoding component” which keeps costs down

2. We are NOT a specialized cyber security technology (only a traffic decoding technology) which means that government teams can keep their defense capabilities strong and confidential

Equation solved!

More info here: http://www.qosmos.com/cyber-defense-0

JT

Network Intelligence Technology Experts Qosmos Comment on Intel’s Acquisition of McAfee

Move Underscores the Need for Visibility into Data in Motion at ALL Levels

Intel today announced its acquisition of McAfee.  Intel CEO Paul Otellini said on the conference call: "We believe security will be most effective when enabled in hardware."  

Qosmos sees a broader picture for better secured systems across the technology value chain  – enabled by better visibility into active data, regardless of where the data is at any moment.  And the network is the converging point to access this intelligence. 

Most companies lack the appetite and capital for such acquisitions, but will nonetheless require technologies that enable visibility into the path and content of data transiting networks.  For such specialized expertise, there is Qosmos.  Qosmos, the expert in so-called “network intelligence technologies,” provides software and hardware components that embed inside applications, equipment and networks to capture, extract and identify data in motion. 

According to Qosmos CEO Thibaut Bechetoille, “In today’s network-dependent economy, this acquisition underscores the critical need for greater visibility of active data  across the technology spectrum – whether in hardware  and processors, in the networks themselves, in the systems that manage them or  in the applications that run with real-time data – to enable more secure and better performing solutions.” 

Technically speaking, Qosmos technology provides visibility and data extraction at unparalleled depth (up to and including layer 7), speed (with throughputs of up to 80 Gbps) and detail (recognizing 300+ network and application protocols and extracting more than 4,000 metadata elements).

In plain speak, technology providers including software vendors, systems integrators, developers and equipment manufacturers use Qosmos components inside their solutions to make them more secure, better performing and better monetized by having the detail to see patterns and aberrations that would otherwise be invisible.

Qosmos experts and executives are available to discuss why such visibility is critical and why network visibility – network intelligence – is THE keystone to improved security.

iPhone 4 = more network congestion

Last week it was iPhone frenzy here in Paris, much like other places around the world. (maybe we are trying to forget about the French soccer team). See this photo showing customers queue up in front the Carrousel du Louvre shopping mall, waiting to buy the iPhone 4. 

The new iPhone is work course much better and cooler than previous versions. One thing the iPhone 4 does better is video: it records HD video at 720p and 30-frames per second. Which means more need for mobile bandwidth.

Sounds like déjà vu all over again? Hum… let me think… reminds me of a blog post I wrote about the iPhone 3: http://networkintelligence.blogspot.com/search?q=iphone&x=0&y=0

Long live network congestion!

Jerome

QED: expert help to embed network intelligence into your solutions

During discussions with prospective partners, we sometimes get comments like: “we love Qosmos, but right now we don’t have any engineers available for new developments based on your technology”.

This is why Qosmos just formed a network of developer partners, the Qosmos Expert Developers (QED).

The idea is to facilitate the development of applications based on Qosmos technology, with a network of partners who are experts on ixEngine. Qosmos expert developers serve as an extension of in-house resources and make it easier to embed Network Intelligence Technology into new solutions. These companies are experts in high-performance, multi-core network/security processing platforms and real-time architectures, and they have a track record of successful development based on Qosmos.

For our customers, this means on-demand access to best-in-class development expertise, faster time-to-market and quality assurance for new Qosmos-based solutions.

The first core group of QEDs include:
- Moore Performance Systems (USA)
- Mantaro (USA)
- MasterPeace Solutions (USA)
- DeCanio Engineering (USA)
- Philog (France)
- Bigsool (France)

We now have an easy answer for those of you who need a little extra help to use Qosmos technology!

Jerome