Enterprises today face a constant barrage of security threats stemming from worms, viruses, trojans, and other malware. This is in spite of significant levels of investment in defenses such as firewalls and anti-virus and anti-spam products. Dealing with these attacks cost U.S. businesses over $67 billion last year. To make things worse, malware designers are staying slightly ahead of the game with a visible trend emerging of malware becoming stealthier and much harder to detect. Successfully mitigating security threats requires a multi-pronged approach that must include mechanisms that address different levels of the enterprise. Today's enterprise networks are very complex because of the sheer number of heterogeneous enforcement points (involving multiple product lines from multiple vendors), the mobility of end-points, and most importantly, the scale of the network itself (typical enterprise networks contain hundreds of thousands of hosts). Given these challenges, protecting the enterprise is a significant task, and relatively little work has been done in this area up to this point. In fact, enterprise policy management today is still largely a manual, ad-hoc process, lacking useful higher-level abstractions and a systems-level view in the application of security policies. In essence, there is very little autonomics today in the operational aspects of enterprise security management.

In this paper, we argue that a successful strategy must not rely on silver-bullet-like approaches, but rather should target different levels of the enterprise. We describe three key building blocks that address different levels of the enterprise and show how these, when used together, provide truly autonomic security for the enterprise network. At the lowest level, we describe the notion of self-defending end-hosts, i.e., hosts that can detect integrity violations or subversion. We show how Intel® Active Management Technology† (Intel AMT) [18] and Intel® Virtualization TechnologyΔ (Intel VT-x) can be used to provide software integrity services and enable the end-host to regulate itself. At the next level, we describe how this capability can be significantly enhanced by allowing end-hosts to collaborate and detect network-wide anomalies (such as infections, attacks, etc.). Finally, we propose a feedback-based security management architecture for enterprise networks that views the enterprise at a higher level of abstraction. With these three capabilities, networks built using Intel® platforms can provide autonomic control and protect themselves from day-zero threats, consistently, with enterprise security policies, and without intervention from administrators.

† Intel® Active Management Technology requires the computer to have additional hardware and software, connection with a power source, and a network connection. Check with your PC manufacturer for details.

Δ Intel® Virtualization Technology requires a computer system with an enabled Intel® processor, BIOS, virtual machine monitor (VMM) and, for some uses, certain platform software enabled for it. Functionality, performance or other benefits will vary depending on hardware and software configurations and may require a BIOS update. Software applications may not be compatible with all operating systems. Please check with your application vendor.