What Network Defense Requires Today
In both the physical and digital realms, those in charge of security have followed the mandate of prevention. By setting up layers of defense, so the premise goes, attacks to the perimeter can be repelled. However, distant and recent history alike reveals that a strategy that relies primarily on defensive walls is doomed to failure. The legendary Trojan Horse incident provides an excellent example.
The Trojan War: Defeat from the Inside
After 10 years of war, the Greeks had fought their way to the walled city of Troy and had come to a standstill. That’s when someone came up with the genius plan to build a huge horse—the emblem of Troy—hide soldiers inside it and leave it as an offering at the city gates. They burned their tents and pretended to sail away.
Everyone knows what happened next. The Trojans wheeled the horse into their city, closed the gates and went to sleep. The Greeks crept out, opened the gates to their comrades who had sailed back in the night, and decisively ended the war.
The Greeks overcame formidable defenses by sneaking inside the walls. In many ways, this story reflects the current state of network security. Our city walls of security prevention are actually being surmounted every day – we just don’t always know it. If you want evidence of this fact, just see this fascinating interactive graphic history of the largest security breaches of the last decade.
The Gates Are Open
Rather than focusing on tearing down the wall or breaking through it, the Greeks figured out a way to disguise themselves and sneak past the gatekeepers. Until recently, it was assumed that all attacks started from outside the perimeter of our defenses, but with the advent of Bring Your Own Devices (BYOD), larger USBs and malicious behavior by employees, the internal network has become vulnerable to attacks from within.
“Advanced Threat Detection” has come onto the security scene in response to a combination of zero-day-threats and attacks from within the internal network. These security detection solutions focus on detecting anomalous behavior in the network itself so that potential threats can be identified and dealt with before they cause damage. These are not a replacement for security prevention, but a complement. Both preventive and detective solutions are needed to counteract attacks, but the information gathered by both can also be used in retrospective analysis to determine if any further measures need to be taken and to learn from experiences.
The resulting complementary process combines the monitoring of logs and NetFlow information with real-time packet capture and analysis and the recording of packet capture data for near-real-time and post-analysis. By analyzing data traffic, it is possible to build a profile of normal network behavior that can then be compared against real-time data or recorded data to detect if something out of the ordinary is occurring.
Beware of Greeks Bearing Gifts
To assess if an attack is underway, the alert of potential malicious behavior can be compared against information from security prevention solutions. Conversely, it can be used to validate a threat alert from a security prevention solution that could be a “false positive.” In either case, there is great value in using this information to verify what is happening.
In a typical week, an organization can receive up to 17,000 malware alerts, according to
a report entitled “The Cost of Malware Containment” by the Ponemon Institute. There are not enough resources to respond to each of these alerts, and the cost of responding is also significant. The average cost of time wasted responding to inaccurate and erroneous intelligence was estimated by Ponemon Institute to be up to $1.27 million annually for a typical organization.
This translates to the reality that only four percent of all malware alerts are investigated. The Ponemon Institute also found that prevention tools miss 40 percent of malware infections in a typical week. The longer this goes undetected, the larger the potential risk of a breach. This is the hole in the security wall that many attackers exploit.
What organizations need now, in addition to alerts from security detection appliances, are automated tools that can correlate information from multiple sources in order to determine the real situation and have the capacity to examine each and every alert. This requires big data analysis, machine learning and artificial intelligence solutions.
These tools offer the significant benefit of combining intelligence from prevention and detection solutions to form a security solution that increases your success rate in detecting and preventing a security breach, while also making better use of your precious security staff, who are currently overwhelmed.
Prevent AND Detect
City walls of security lull us into the false belief that we are safe. But, as we have seen above, these defenses are breached every day, to the extent that security professionals can’t keep up. At the heart of advanced threat detection solutions is the concept of continuous monitoring and analysis, not just of logs and NetFlow data but also of packets themselves. Packet capture and network traffic analysis are therefore the very foundation that supports security detection solutions. Ensuring that you have an efficient and reliable security detection infrastructure is therefore paramount.
To make sure that you get the security detection infrastructure you need, look for these capabilities:
- Continuously capture all traffic – without losing any data. This requires solutions with the capacity and speed to handle full theoretical throughput, not just to keep up, but also to avoid being overwhelmed by data deluges, which can be instigated as part of an orchestrated attack.
- Analyze the data in real time as well as in near-real time and forensically. This requires the ability to capture data reliably to disk and storage at full line rate without losing any data so a reliable forensic analysis can be performed after the fact.
- Go back and understand when and where the breach occurred. This requires the ability to replay what happened on the network exactly as it happened. You might think this is an expensive insurance policy, but with the average cost of breach exceeding $3 million for a typical organization, as well as the cost to reputations and executive careers, perhaps it is an investment in self-preservation that can be justified?
The story of the Trojan Horse has endured through the centuries as an example of human ingenuity and cunning. Sadly, this tactic is used today by crafty cyber criminals to bypass security walls by stealth and gain entry into the network. What works today is a combined defense of security detection, continuous monitoring and automated tools for correlation of data alerts. This strategy will help keep unwanted guests out of the network.
About the Author
Daniel Joseph Barry is VP Positioning and Chief Evangelist at Napatech and has over 20 years’ experience in the IT and Telecom industry. Prior to joining Napatech in 2009, Dan Joe was Marketing Director at TPACK, a leading supplier of transport chip solutions to the Telecom sector. From 2001 to 2005, he was Director of Sales and Business Development at optical component vendor NKT Integration (now Ignis Photonyx) following various positions in product development, business development and product management at Ericsson. Dan Joe joined Ericsson in 1995 from a position in the R&D department of Jutland Telecom (now TDC). He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.
Edited by Peter Bernstein