By Dan Joe Barry, VP Positioning and Chief Evangelist at Napatech
Prevention has been the predominant philosophy guiding security solutions to date. The premise is that it is possible through defense in depth and multiple layers of security to foil attacks from the outside. In other words, by building higher and thicker walls of defense, we can keep the enemy out. But, if history teaches us anything, it’s that a strategy based on defensive walls alone will not succeed. As a case in point, let’s look at the Maginot Line.
A Maginot Line of Defense: Security Prevention
After the First World War, France built the Maginot Line, a line of concrete fortifications that stretched from Switzerland to Belgium. It was hailed by experts as a work of genius as it was impervious to bombardment from land or air and allowed the French time to mobilize in the event of an attack. After the years of defensive trench warfare of the First World War, one would be forgiven for assuming that any future confrontations would be a “guerre de longue durée” or “war of long duration.” In other words, the Maginot Line made sense.
Nevertheless, the Maginot Line had its weaknesses. It did not extend along the Belgian border for fear of offending Belgium. The plan here was to concentrate troops and repel an invasion from Belgium. But, the assumption was that a German invasion could not be directed through the Ardennes Forest just north of the wall, so this part of the line was not defended. As we all now know, this is exactly where the Germans struck and the rest, as they say, is history.
In many ways, this story reflects the current situation with network security. Our “Maginot Lines” of security prevention are actually being surmounted every day – we just don’t always know it. If you want evidence of this fact, just see this fascinating interactive graphic history of the largest security breaches of the last decade.
The Ardennes Forest of Security: The Internal Network
The ingenuity and daring that the Germans showed in attacking through the Ardennes, which was believed to be impossible to cross and thus not defended, is synonymous with the daring and ingenuity that cyber criminals show every day in identifying weaknesses in security defenses.
The “Ardennes Forest” of security today is the internal network. Up until recently, it was assumed that all attacks started from outside the perimeter of our defenses, but with the advent of Bring Your Own Devices (BYOD), larger USBs and malicious behavior by employees, the internal network has become vulnerable to attacks from within.
The combination of zero-day-threats and attacks from within the internal network are now driving new types of solutions referred to as “Advanced Threat Detection.” These security detection solutions focus on detecting anomalous behavior in the network itself so that potential threats can be identified and dealt with before they cause damage. These are not a replacement for security prevention, but a complement. Both preventive and detective solutions are needed to counteract attacks, but the information gathered by both can also be used in retrospective analysis to determine if any further measures need to be taken and to learn from experiences.
This includes not just monitoring of logs and NetFlow information, but also real-time packet capture and analysis, as well as recording of packet capture data for near-real-time and post-analysis. By analyzing data traffic, it is possible to build a profile of normal network behavior that can then be compared against real-time data or recorded data to detect if something out of the ordinary is occurring.
The Hole in the Wall: The Deluge of Security Alerts
The alert of potential malicious behavior can be compared against information from security prevention solutions to assess if an attack is underway. Conversely, it can be used to validate a threat alert from a security prevention solution that could be a “false positive.” In either case, there is great value in using this information to verify what is happening.
In a report entitled “The Cost of Malware Containment,” the Ponemon Institute estimated that in a typical week, an organization can receive up to 17,000 malware alerts. There are not enough resources to respond to each of these alerts, and the cost of responding is also significant. The average cost of time wasted responding to inaccurate and erroneous intelligence was estimated by Ponemon Institute to be up to $1.27 million annually for a typical organization.
Because of this, only four percent of all malware alerts are investigated. The Ponemon Institute also found that prevention tools miss 40 percent of malware infections in a typical week. The longer this goes undetected, the larger the potential risk of a breach. This is the hole in the security wall that many attackers exploit.
So, the solution is not just about more alerts from security detection appliances, but also automation of tools that can correlate information from multiple sources in order to determine the real situation and have the capacity to examine each and every alert. This requires big data analysis, machine learning and artificial intelligence solutions.
With automated tools, you get the full benefit of combining intelligence from prevention and detection solutions to form a security solution that increases your success rate in detecting and preventing a security breach, while also making better use of your precious security staff, who are currently overwhelmed.
Effective Defense: A Combination of Prevention and Detection
As we can see, higher and thicker security prevention perimeters provide a false sense of security. These are the Maginot Lines that lull us into the false belief that we are safe. But, as we have seen above, these defenses are breached every day, to an extent that security professionals can’t keep up.
At the heart of advanced threat detection solutions is the concept of continuous monitoring and analysis, not just of logs and NetFlow data but of packets themselves. Packet capture and network traffic analysis are therefore the very foundation that supports security detection solutions. Ensuring that you have an efficient and reliable security detection infrastructure is therefore paramount.
So, what should you demand of your security detection infrastructure for it to be effective? Here are a few suggestions:
- The ability to capture all traffic, all the time without losing any data. This requires solutions with the capacity and speed to handle full theoretical throughput, not just to keep up, but also to avoid being overwhelmed by data deluges, which can be instigated as part of an orchestrated attack.
- The ability to analyze this data in real time, but also near real time and after the fact. This requires the ability to capture data reliably to disk and storage at full line rate without losing any data so a reliable forensic analysis can be performed after the fact.
- With over 70 percent of breaches being detected by someone outside the organization after an average of 250 days, the ability to go back and understand when and where the breach occurred is fundamental. That requires the ability to replay what happened on the network exactly as it happened. You might think this an expensive insurance policy, but with the average cost of breach exceeding $3 million for a typical organization, as well as the cost to reputations and executive careers, perhaps it is an investment in self-preservation that can be justified?
The Maginot Line was once considered a work of genius, but after the Second World War became the butt of many jokes, such as: The Maginot Line is French for “speed bump ahead.” If you don’t want your network security to become a joke, then invest in security detection, continuous monitoring and automated tools for correlation of data alerts.
About the Author
Daniel Joseph Barry is VP Positioning and Chief Evangelist at Napatech and has over 20 years’ experience in the IT and Telecom industry. Prior to joining Napatech in 2009, Dan Joe was Marketing Director at TPACK, a leading supplier of transport chip solutions to the Telecom sector. From 2001 to 2005, he was Director of Sales and Business Development at optical component vendor NKT Integration (now Ignis Photonyx) following various positions in product development, business development and product management at Ericsson. Dan Joe joined Ericsson in 1995 from a position in the R&D department of Jutland Telecom (now TDC). He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.