BT addresses Sony-style ‘network’ anomalies with new security product
Wed 15 Apr 2015
British Telecom has launched a new threat-protection service aimed at organisations with complex ICT systems, which claims to be able to recognise anomalous network behaviour that may indicate a network incursion, similar to the longstanding invasion of Sony’s network which preceded the infamous ‘Sony Hack’ last autumn. BT Assure Cyber provides an external wrapper around existing network security procedures, protocols and applications, and is capable of being configured in a custom solution designed for specific business needs rather than aggregate threat assessment profiling techniques.
The new service provides accreditation up to HMG IL5 for its system and architecture, with guaranteed SLA, updates and ‘continuous service improvements’.
Though little detail is given in any of the releases as to the algorithm or methodology behind Assure Cyber’s ‘anomaly detection’, the central bases of the system are outlined:
Reference data import provides baseline expectations and specifies the ‘expected’ host configuration, including networks and connected devices, taking note of the host company’s existing asset management system, and creating initial benchmarks. Network discovery maps the true topology of a network rather than just correlating nodes against initial benchmarks, and then adds new standards against which to measure change and seek to detect anomalies.
Anomaly detection compares variations between the expected and found network topology, using the deeper inspection of Active Network Discovery and Vulnerability Analysis to identify areas that may need investigation. Threat correlation and analysis correlates multiple sources of information – among them the existing analysed network – to score, trend and identify complex patterns of activity that may signal network attack. Thereafter the modules respond with risk management, security incident management and reporting tools and procedures.
The algorithms behind the new system are unsurprisingly not examined in great detail, but the deep network mapping aspect of Assure Cyber does seem to have been inspired by some of the techniques that hackers used to gain malevolent presence on Sony’s network last year for an extended period of time prior to the hack.
Security frameworks have used heuristics for a long time in an attempt to identify anomalous or suspicious behaviour which is not directly fingerprinted in their threat databases, but have frequently been foiled by an unfavourable rate of false positives. Assure Cyber, instead, seems to be taking a lesson from the Sony 2014 debacle – and arguably from Michael Crighton’s Jurassic Park novel (not the movie), which featured a security system that failed because it was expecting a certain number of entities (dinosaurs) to monitor and had not anticipated that for unexpected reasons, there might be more of these than registered.