Operation Aurora – Post Mortem

Sophisticated, multi-vector attacks like Operation Aurora are now more pervasive and more difficult to detect than ever before, thanks in part to the emergence of Web 2.0 and the rapid growth of the internet. Already, in the weeks that have followed Operation Aurora, McAfee Labs has identified a number of derivative attacks based on publicly available Aurora exploit code.
McAfee’s ability to detect and respond to Operation Aurora before any other security vendor illuminates some very significant advantages of our security model, particularly in the area of network security.
To understand the role that network security can and should play in defense of coordinated attacks like Aurora, it makes sense to explore three common shortcomings of today’s security approach:
1) Most solutions don’t protect against threats that haven’t yet been detected.
2) Most solutions lack the levels of analysis automation and global intelligence necessary for timely identification and propagation of threat information.
3) Most solutions act in isolation, lacking the ability to collect and share threat information across security infrastructure. This situation reminds me of the federal government’s review of 9/11. Many of the pieces of information existed, but they just couldn’t put it all together and disseminate it.
‘Pre-detection’ defenses
The notion of disarming a threat before it is detected is challenging to say the least. Yet McAfee has a number of tools that do just that. (continue reading...)