From the beginning of networked computers until very recently, IT security professionals have aligned with the idea of defending the network’s perimeter – shore up defenses to keep the bad guys out. This is also known as “security prevention.” The problem is that the bad guys have gotten better at breaching the perimeter. And it’s not just that attackers need to be kept out; more and more, internal threats like employee error and the BYOD trend are causing security issues.
To complicate matters, network speeds now routinely hit 100 Gigabits per second. That’s roughly 70 million times faster than the typical network connection when firewalls were introduced. This poses a number of challenges, particularly in the area of security. Network growth, along with the data deluge, puts a great amount of pressure on organizations to combat cyber threats and analyze cyber-attacks in real time so that necessary actions can be taken with minimum delay.
There is a shift occurring, then, from “security prevention” to “security detection,” which uses network analysis to detect anomalies as a first indicator of new types of threats, either zero-day threats or one that comes from within the network. Gartner’s (News - Alert) Shift Cybersecurity Investment to Detection and Response research projects that by 2020, 60 percent of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 20 percent in 2015. It is in this context that post-analysis comes into its own, as it is not always easy to catch threats as they happen.
It is pivotal, then, to be able to conduct deep analysis offline or even post-attack to determine what happened. The analysis allows management to make decisions and take actions in response to an attack. More importantly, it is needed to ensure that a cyber event has been truly resolved so that all public disclosure, notification of impacted parties and internal remediation can be completed.
High-speed networks are undergoing attacks at an unprecedented level. However, in most cases, the attacks are only discovered weeks later. Network security solutions are facing a two-fold growth challenge: Data traffic is increasing exponentially, so there is more to analyze at faster speeds. At the same time, cyber-attacks are also growing in number and complexity.
The resulting number of security alerts and events in an organization’s environment is staggering. Entire businesses have been created to fulfill the need to process the tens of billions of events generated every day in a typical large enterprise. The security team faces the huge task of collecting this data from all the tools and then prioritizing them by severity.
Alert management tools exist to help with this enormous task, but the problem is that these tools often give either incomplete or contradictory information about a given event. Add to this that once an attacker is inside, he will often compromise the credentials of a legitimate user and might disguise himself as an employee to do searches and extract sensitive data.
Security in Layers
What’s to be done? Organizations can mitigate risk by deploying a diverse strategy that ensures all security prevention solutions have the necessary bandwidth and capacity to handle high-speed, high-volume attacks. The plan also must ensure that security detection solutions are in place to detect anomalies in real time but also to record network activity for deeper analysis and/or later detection of a past breach.
Consequently, cybersecurity strategies today cannot depend on a single security solution. Traditional point defenses cannot adequately address the new, faster-moving, multi-layer threats and more sophisticated attackers. What’s required is a layered approach with defense-in-depth, where an organization not only relies on network security appliances for indications of data breaches but also network behavior analysis.
Network security has gone from prevention to detection, and a final, “last security tool” must be added: continuously recorded network data. A network forensics solution should continuously capture all data 24x7, regardless of whether anything interesting is happening in a particular moment or not. Then, in conjunction with alerts from the other tools, the security team can investigate whether the event was a false alarm or something that needs to be actioned. Moreover, they can see what happened after the breach and achieve the ultimate goal: determining all the assets the attacker may have accessed and whether he has truly been eliminated from their environment.
Putting it All Together
There are tools available today that will provide a partial network recording based on an event, but that data is inevitably incomplete if the recording tool did not see anything it considered interesting. For effective network forensics, we need a tool that can record everything continuously at high speed. It must be purpose-built for this, since the demands for storage and indexing of this volume of data are much different than the architecture of the other security tools.
However, real-time data capture can be taken a step further by introducing the concepts of data capture and retrieval-on-demand. The network forensics solution must provide an immediate and indexed answer to an investigator pursuing an event. It is crucial that security officers can quickly go to the time and place of the event to start analysis, and waiting several hours for this initial answer can cause serious delays while the attacker may still be inside.
The enormous volume of data flooding today’s networks pose a significant challenge to IT security teams. It can be tedious and often quite expensive to store and analyze every single data packet. This reality drives the need to retrieve data on demand with a few simple commands. In this scenario, users are able to get to the root of the problem by accessing the packets from a certain server or time period.
In the final analysis, it is crucial to capture date, but just as important are the twin components of rapid retrieval speed and data on demand. This creates a layered solution approach that creates a higher and wider security prevention perimeter. That’s a good start, but this approach also gives IT teams the real-time, on-demand security detection capabilities they need to detect events and determine the root source of the breach. This creates a robust security framework, whether threats emerge from outside the network or from within.
About the author:
Daniel Joseph Barry (News - Alert) is VP Positioning and Chief Evangelist at Napatech and has over 20 years’ experience in the IT and Telecom industry. Prior to joining Napatech (News - Alert) in 2009, Dan Joe was Marketing Director at TPACK, a leading supplier of transport chip solutions to the Telecom sector. From 2001 to 2005, he was Director of Sales and Business Development at optical component vendor NKT Integration (now Ignis Photonyx) following various positions in product development, business development and product management at Ericsson (News - Alert). Dan Joe joined Ericsson in 1995 from a position in the R&D department of Jutland Telecom (now TDC). He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.