Editor’s note: Executive Q&A is a regular feature on Tuesdays in Local Tech Wire.To better understand what is going on in the fight against hackers and cyberterrorism, Local Tech Wire recently asked Dr. John Copeland, founder of Lancope, to share some of his thoughts.
They aren’t all comforting, either. The worst attacks probably have yet to hit, he says.
Copeland currently is involved with the National Security Agency on its “Therminator” project (see today’s “The Skinny” column by Rick Smith for more details).
What particular strengths and/or capabilities do you believe led to NSA selecting Lancope as a partner?
Lancope’s StealthWatch system is a non-signature based, giga-Ethernet speed, behavior-based Intrusion Detection System (IDS) that already has characteristics the defense community needs.
Why in your opinion must such new technology be developed? Is the cybersecurity threat that serious? Please explain why.
Cyber-attacks have already been seen in response to international incidents such as the spy-plane collision near China, the U.S. bombing of Yugoslavia, and the Israeli-Palestine conflict. A major conflict or terrorism initiative could include much more serious attacks (cyber-warfare) that could affect major areas of the U.S. economy, not just web e-commerce and e-mail, but basic infrastructure automated systems critical to transportation, power, water, sewage, health care, etc.
Can you explain in layman’s terms signature-based intrusion, behavior-based intrusion and what NSA means by “data visualization”?
Most hacking programs readily available on the Web can be recognized by unique strings of characters in the code (signatures). Signature based systems look for the signatures of previously seen attacks. They may miss new or modified attack programs.
Behavior-based systems vary in design and effectiveness, but generally characterize the network activities of the hosts (computers) on a network and alert when appreciable changes in network usage occur. These can detect attacks that have not been seen before, or modified to escape signature detection.
A data stream can be visualized if differ categories of data are represented as bars of different colors whose height is proportional to quantity in a certain time period. This process is repeated to form a stacked bar graph that moves across a computer screen to show current and past data traffic composition.
The Therminator technology goes one step further to represent the many possible states of a data stream by a few variables reminiscent of thermodynamic state parameters for warm matter, such as temperature and entropy. These parameters can then be displayed on a multicolored stacked bar chart to show “state parameters”
By proactive information security technology, does this mean preventing attacks before they actually happen? Please explain.
“Proactive security” means taking measures to detect a cyber attack before it has time to cause damage, and then taking preventive action when necessary.
Will this new tool assist in the tracking down on those carrying out the attacks?
The StealthWatch system already stores available local information on the attacking host. Since IP addresses can be spoofed, actual “tracking down” requires investigating log information from routers and switches along the path of the attack. If Terminator systems were in use at all network nodes, an attack would be seen all along its path.
The threat to federal agencies is well understood by many people. Why should private enterprises be so concerned?
Companies today are conducting much of their business over the Internet. If not directly taking orders, they provide information to customers and suppliers via email and Web servers. Internal communications are now done mostly by email. Utilities control their distributed plant via networks. Even the thermostats in some buildings have Ethernet connections to the heating and cooling values. For convenience there is often one interconnected network. A professional cyber attack could paralyze many corporations and utilities. Whether due to terrorism, or a demonstration by an extortionist, the losses could be huge.
Will this be a software-only solution or include hardware?
What will initially be provided, will be an appliance based on standard hardware like the present StealthWatch system.
Will Therminator be useful in resisting or defeating virus attacks?
It depends on the nature of the virus. Therminator (like the present StealthWatch) detected the network activity associated with the Code Red virus.
Three researchers, including the president of Silicon Defense, recently published a paper saying a “Flash worm” could rapidly take over the Internet if protective steps are not taken. How serious a threat do you believe such “worms” are, and will your new project help defeat them?
I doubt if the Code Red worm is the worst that will ever be seen.
The nice thing about a Warhol Worm is that the spreading mechanism requires generating a large amount of anomalous network traffic, perhaps ten to fifty times as much as the Code Red worm. Systems like StealthWatch and Therminator will quickly detect the beginning of such activity and give network administrators the data they need to isolate infected hosts, and block the network activity associated with the spreading to other hosts.