By Dan Joe Barry, VP Positioning and Chief Evangelist at Napatech
Many factors have converged to create greater complexity and threat opportunity in the network, undermining the effectiveness of security prevention solutions.
BYOD can act as a Trojan horse to gain access to the network, and employees or contractors can knowingly or unwittingly mishandle data in a way that results in a breach.
Cloud computing also provides new opportunities for attackers, who are constantly looking for novel ways to breach defenses by exploiting vulnerabilities.
We’ve lost the cybersecurity perimeter war, and we’d better try something new.
Here’s my proposition: Along with standard security prevention solutions, deploy an additional layer of advanced threat detection based on user and network behavior analysis.
These internal advanced threat solutions rely on continuous monitoring of network activity to first establish a profile of normal network behavior and then compare real-time activity to this profile to detect anomalous behavior.
When used in conjunction with the information from other security solutions, it can provide the first indication that a breach has taken place.
This configuration works extremely well against non-malware attacks since it does not rely on detecting file downloads but on detecting activities that are out-of-the-ordinary, giving the security team the basis for further investigation.
Network behavior analysis does not work without the ability to analyze all network traffic in real time. This requires packet capture solutions that can deliver each and every packet for analysis without packet loss, even at speeds up to 100G.
(Find out how Smarter Data Delivery can help you stay in control of your network and get data when, where and how you want it. Courtesy of Napatech and YouTube)
The Power of Forensics
When a data breach occurs, the immediate concern is to determine the extent of the breach and the company’s exposure.
The C-level executive will expect his security team to be able to report exactly what happened, when it happened and why it happened within a matter of hours.
Unfortunately, most security solutions today are built to prevent and detect solutions in real time or at least near-real-time.
The ability to reconstruct the anatomy of an attack in detail is often impossible, especially if the attack took place up to six months ago.
There is, therefore, a strong case to be made for the ability to record network traffic in a way that will allow the reconstruction of a breach even months after the fact.
A packet capture-to-disk or network recording capability allows every packet on the network to be recorded at speeds up to 100 Gbps, but can also provide multiple security analysis applications access to the same data.
This allows deep-dive analysis of reliable network data on demand to support near-real-time forensic analysis or analysis of breaches several months in the past.
Toward Adaptive Security
In a report last year, Gartner concluded that there is an over-reliance on security prevention solutions, which are insufficient to protect against advanced attackers.
The alternative proposed was an adaptive security architecture whose foundational and enabling underpinning is the ability to perform continuous monitoring and analytics, including for the network.
This new combination of packet capture capabilities, next-generation SIEM solutions and advanced threat detection solutions creates the infrastructure to support an adaptive security framework:
IT security teams can now detect zero-day threats and anomalous behavior that can indicate breaches, and prevent known attacks.
The alerts and information from each solution are correlated and condensed by solutions like SIEM systems that will enable security teams to quickly focus their attention on the most important threats.
If a breach is only detected after the fact, being able to fully capture and record each packet allows the anatomy of an attack to be recreated, allowing a quick determination of the extent and impact of the breach, as well as the ability to learn and prevent such a breach from happening again.
This is the level of cybersecurity we need today.
The solutions and the technologies to implement them are available, and in light of the volume, variety and velocity of threats, there’s just no excuse left not to.
Unless you enjoy explaining preventable security breaches to your CIO.
About the Author:
Daniel Joseph Barry is VP Positioning and Chief Evangelist at Napatech and has over 20 years’ experience in the IT and Telecom industry.
Prior to joining Napatech in 2009, Dan Joe was Marketing Director at TPACK, a leading supplier of transport chip solutions to the Telecom sector.
From 2001 to 2005, he was Director of Sales and Business Development at optical component vendor NKT Integration (now Ignis Photonyx) following various positions in product development, business development and product management at Ericsson.
Dan Joe joined Ericsson in 1995 from a position in the R&D department of Jutland Telecom (now TDC). He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.