AlienVault's Barmak Meftah: Time to Put Hackers on the Defensive
"We are seeing a lot more attacks from nation states rather than the traditional hacking from kids trying to break in. There is so much sophistication to the attack methods that you can pretty much tell that they are being sponsored by organized crime. The more we get sophisticated about protecting and detecting these attacks, the more exponential is the sophistication and skill of the hackers."
09/24/13 5:00 AM PT
As CEO of AlienVault, Barmak Meftah faces enemies every day who play out their attacks from faraway lands using seemingly unbeatable weapons.
One of the weapons AlienVault uses with the support of the open source community is a global report called the Open Threat Exchange that tracks threats to computer networks. The results allow these free threat exchanges from security software users to identify trouble spots in their network shields and take corrective action.
In this interview, LinuxInsider talks with Meftah about how the threat environment is changing and why the Linux OS is now at greater risk.
LinuxInsider: How much of a difference is there in the approach taken by open source security solutions versus proprietary software?
Barmak Meftah: My feeling is when you have a collective set of eyes around the globe that has downloaded something many times, has installed it globally and has gone through trials and tribulations, it has been tested and tried so much more than any commercial equivalent. I am a big believer in the more people that download, install and test a product objectively and openly, the more stable and the stronger the product is.
LI: Given today's emerging threat levels, is there a difference in the security threshold for the Linux OS being targeted more frequently?
Meftah: We use Debian 6. In general, the operating system has done an extremely good job in isolating the parts of the OS that could potentially be an attack surface. It has done an extremely good job of keeping the bad guys away from it. It is really hard to get into, especially compared to the Windows OS, even with that platform's improvements. By design, Windows is wide open in terms of allowing intruders to cause a stack overflow.
LI: Are you suggesting that the Linux OS is so hardened that it is impenetrable?
Meftah: Hackers initially take the easy path. Now they are going after the more exotic targets. All of those attack vectors continue to exist on top of the Linux OS. It is just harder to access. Yet it is just a matter of the sophistication of the hacker and the amount of time that they want to put into it.
LI: What method you have found for protecting that potentially vulnerable attack layer sitting above the Linux OS?
Meftah: We assume that any asset is going to be breached -- it is just a matter of time and sophistication. So then the question becomes, are you equipped well enough to have full observation and analysis and visibility in terms of what is happening in your environment?
LI: How do open source solutions provide that assurance that the user is suitably equipped? Is this something that requires high-level IT support or skills a typical end user can acquire?
Meftah: I do not want to minimize the importance of firewalls and antivirus and anti-malware solutions -- I think that those are extremely important -- but if you look at targeted markets, those users with IT departments and aware users typically know how to deploy those products.
Once you look at the analytics side of a computer operation, it has traditionally required a lot of technical expertise, and it has only been in the purview of the top end of the market that could have afforded to spend a lot of money on these things. The vast majority of the market is the SMB and the midlevel enterprises. They have not had the financial wherewithal.
LI: Money resources aside, what makes that middle market segment deficient in using security analytics?
Meftah: In most cases, the IT support -- Linux sysadmins -- at that level do not have the level of security expertise for that perspective to be able to figure out what is going on. So security companies have to simplify by virtue of bringing the necessary security visibility controls together in one suite of products in a very open form factor.
LI: So products are available to effectively deal with the Linux attack surface as long as they are properly configured without building thick security walls that can bog down performance?
Meftah: The ideal solution if you have the financial resources is to buy and configure the required five types of security software: intrusion detection, vulnerability analysis, behavior analysis or forensics, asset inventory management and security intelligence. Your other option is to subscribe to an integrated service solution that offers the same products at a more affordable price point.
LI: Is that level of sophisticated security needed by desktop Linux users and SMBs?
Meftah: Our solution is not really a firewall. What we do is compliment the firewall to only tell users what is going on. A firewall will only attempt to block an intrusion. Our assumption is that at some point you are going to get breached. We stop short of providing protective coverage. We only provide detective services.
LI: Do the threat levels change depending on the computing environment in an SMB shop or a home office compared to a large corporate plant?
Meftah: The only way to know that for sure is to have asset and breach assessments conducted. Then the user can tailor the security response accordingly. It is more an issue of finding out what you are running that is vulnerable rather than what you are running it on.
LI: One of the open source community-based services you developed is a project that maps threat levels. How does the Open Threat Exchange help users with their security issues?
Meftah: The idea behind it is a crowdsourced sharing of computer threats. The Open Threat Exchange is a huge asset that we have thanks to the efforts of the community. There is this aspiration in the security world in the past four years to essentially share threat information. There is so much valuable threat information out there. If we only had access to it, we could finally put the hackers -- who have been on the offense for such a long period of time -- on the defense.
LI: Why has that concept not already succeeded?
Meftah: Everybody wants to get everybody's threat data, but nobody wants to submit their threat data. So we leverage worldwide through our open source community all of the security product downloads we offer. If you submit your threat data to us, we anonymize it and give you back everybody else's threat data. This is sort of a crowdsourced way of sharing threat data.
LI: Has the reliance on the open source community had any results in gathering threat reports from users?
Meftah: In a very short amount of time we are up to about 10,000 subscribers. That threat network encompasses about 140 countries. If you opt in by agreeing to submit your threat reports from our software, you get the full shared results for free. Otherwise, you can pay the subscription fee to get the same thing. Whether you download the open source free version or are using our commercial version, and even for commercial entities, if you opt in, you get the service for free. This is based on the opt-out model. It encourages users even of the free products to share their threat results with the open source community.
LI: So let's say I am an open source user and agree to opt in, and I get the full threat report. What can I do with it to harden my own response to potential security breaches?
Meftah: What happens then is that as our product is performing its security analytics finding out your threats and your vulnerabilities and your anomalies, we will send you correlation analytics against the threat data that is being shared with you. This is really an invaluable context because then you can start asking questions like: "If I got breached or if I am observing this intrusion or this vulnerability, am I the only company seeing this? Are other companies in my industry seeing the same thing? Are other companies in my geography seeing this region?"
LI: Based on this data flow that you see, are you now aware of any changes or trends in the threat levels? Can you tell how things are different now than they were three years ago?
Meftah: The pace of sophistication in terms of the attack vectors and the hacking techniques being used is pretty amazing. We are seeing a lot more orientation towards state-sponsored attacks. We are seeing a lot more attacks from nation states rather than the traditional hacking from kids trying to break in. There is so much sophistication to the attack methods that you can pretty much tell that they are being sponsored by organized crime. The more we get sophisticated about protecting and detecting these attacks going through the environment, the more exponential is the sophistication and skill of the hackers.
LI: What would you say are today's top two or three security concerns facing Linux users?
Meftah: I can tell you three things that I honestly think every system administrator and every IT Ops person and every security operations officer should really focus on. This is particularly true of companies that are in mid-market to SMB phase. One is prevent attacks or threats from happening. A lot of the traditional security controls like firewalls and antivirus and anti-spyware and Web filtering -- all the things we call thick walls -- are still important between the hacker and your assets, but these walls by themselves are insufficient.
Two is to have a full-fledged capability around threat visibility. It is not just enough to say, 'I put a firewall in place.' It is critical to continue to monitor and analyze the threats and the vulnerabilities and the anomalies that are happening in that environment.
Finally, you have to have a sophisticated way to respond to those attacks. You need sort of an instant response mechanism to block what you observe happening.