<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>Jeff Bardin has a post up as his <a href="http://blogs.csoonline.com/1510/real_time_actionable_intelligence_i_can_have_today">CSO Online blog</a> which has a nice metaphor for data security by comparing it to vehicular traffic on highways. The metaphor comparing data to cars is pretty good (and not unique to the security space, lots and lots of traffic management and queuing strategies are well understood in terms of highways and cars) and I kind of like the way he suggests that a tool can just send 'red' (i.e. bad) cars for detailed inspection etc.</p> <!--more--><p>However the limits of the metaphor (how do you know the red cars are the bad ones?) show the limits of the solution he praises. Far better, it seems to me to think of a highway border crossing. Now this may be less familiar to US citizens but there are plenty of these sorts of crossings here in Europe so I am very familiar with them. The big difference between a border crossing and a toll barrier is that at the border crossing every vehicle is briefly stopped and everyone has to show a passport.</p> <p>Not every car is fully inspected - in fact few are, most show a passport and are waved through - but the customs people have a list of suspects updated all the time and when they spot one they direct them into the 'red' channel for a full inspection.</p> <p>This is exactly how a firewall running ThreatSTOP works. ThreatSTOP provides a regularly updated list of bad IP addresses and the firewall looks at the packets exiting (or entering) to see their destination (or source). If the address is on the "persona non grata' list then the packet is either dropped (the usual case) or directed to a security device for deeper inspection. Meanwhile all the other packets pass through with no hold up.</p> <p>Becuase this system is proactive, rather than reactive, we block data loss and advance persistent threats (APT) rather than warn afterwards that some data may have leaked. As I blogged at the time, it looks like we would have <a title="The RSA spearphish attack and IP&nbsp;reputation" href="http://blog.threatstop.com/2011/04/03/the-rsa-spearphish-attack-and-ip-reputation/">detected and stopped the RSA spear-phish attack</a> - or at least provide an alert the first time something internal tried to call home to one of the servers the criminals were using.</p> <p>There is of course one obvious downside to our proactive list approach - which is that new threats will take a while to be detected. We have two fairly simple answers to that firstly we are <a title="IP Reputation – Responsiveness is&nbsp;Key" href="http://blog.threatstop.com/2011/03/16/ip-reputation-responsiveness-is-key/">demonstrably faster than other services</a> and secondly that no security system in isolation is perfect. Moreover as the border metaphor shows you really want to make sure you have IDed the bad guys and not got some good guys on the list by mistake - think of all the jokes about the DHS's no-fly list. In today's world where Internet access is key being unable to contact legitimate external systems is a major cost and we take the time to exclude false positives as part of that process.</p></span>