In part 1 of this series, we looked at the challenges facing security teams today and, in particular, the need for more intelligent cybersecurity solutions, more powerful cybersecurity appliances and faster response to security incidents. We also looked at how reconfigurable computing solutions are addressing the need for more powerful appliances and enabling faster response to security incidents. In part 2, we will dive deeper into the latest developments in enabling more intelligent and comprehensive cyber security solutions and how reconfigurable computing can make a difference.
The first step in realizing more intelligent cybersecurity solutions is to rely on Security Information and Event Management (SIEM) as a central point of collection, analysis and correlation based on system logs, network information and behavior analysis. Many SIEM solutions now rely on machine learning and artificial intelligence to correlate information from diverse sources and, thereby, determine the relationship between security incident alarms and the severity of these alarms.
This can address the number of alarms to be examined, but obviously, the result is only as good as the input on which the analysis is based. That’s why there is a consensus building around security frameworks that rely on a number of different sources of intelligence. Two examples of these are the Security Operations, Analytics and Reporting (SOAR) framework from Gartner and the Security Operations and Analytics Platform Architecture (SOAPA) framework from The Enterprise Strategy Group (News - Alert).
In the Gartner SOAR framework, the SIEM is complemented by vulnerability assessment, security incident response, threat and vulnerability management and security orchestration and analytics solutions.
In the Enterprise Strategy Group SOAPA, a similar framework is proposed based on SIEM, network forensics, endpoint detection and response, threat intelligence platforms, incident response platforms and user and entity behavior analytics.
Combined, the solution could look something like this.
One important thing to note in the solution framework is that the quality of data input is all-important, which is why full packet capture of network information is essential in supporting not only SIEM and incident response platforms, but also in ensuring that security automation and orchestration decisions are made on reliable network data. While you don’t always need to see all packet details, these details are the basis for creating statistics, metadata, flow records and other sampled data, which can be sufficient for automated decisions. In addition, the ability to record, store and retrieve packet details, especially for forensic purposes, is essential.
Until recently, the network and datacenter were relatively static and engineered. You knew where traffic was flowing, and the strategic placement of security appliances would ensure visibility into the right traffic and the right response at the right time. But, what happens when the data center becomes automated and software-programmable, and you cannot rely on when and where network flows are instantiated?
While some of the physical security appliances for perimeter protection will remain to protect all traffic entering and leaving the datacenter, internally, it becomes more difficult to determine when, or even if, security appliances are deployed. Virtual security appliances and other virtual security software become essential. The challenge is in ensuring that the right security functions can be dynamically deployed in the right places at the right time to ensure continuous visibility into critical data flows.
But, that is not the only challenge. Another challenge is ensuring that these virtual security software solutions have the necessary capacity to assure network security without consuming an inordinate amount of precious datacenter resources that otherwise could be generating revenue or supporting critical business processes.
It is these challenges that reconfigurable computing can address. The power that FPGA-based reconfigurable computing solutions bring is the combination of acceleration through workload parallelism and the ability to reconfigure on the fly. As we saw earlier, physical security appliance performance can be accelerated by processing the data path in the FPGA. A similar performance benefit can be achieved in virtual environments when the server hosting virtual security functions is based on a reconfigurable computing platform. Several orders of magnitude of performance improvement have been demonstrated compared to standard computing platform-based solutions.
The ability to reconfigure on the fly allows the right security function or solution to be deployed where it is required as traffic flows dynamically change, while acceleration of workloads ensure that a minimum of precious datacenter resources are used on monitoring and security functions.
The physical security appliances and their virtual counterparts also stand to benefit from the capability to offer compute offload solutions with acceleration-on-demand. The two main FPGA chip vendors, Intel and Xilinx (News - Alert), both have extensive ecosystems of FPGA functionality providers that focus on accelerating specific functions like encryption, compression, regular expression searches and many more.
Normally, these “Intellectual Property (IP) blocks,” as they are called, are sold to developers of FPGA solutions who, rather than developing the entire solution from scratch, source IP blocks for specific function needs. Now, these same IP blocks can be “dropped in” to the FPGA on demand to accelerate a specific function. What is required is a partial reconfiguration framework on the FPGA that allows IP blocks to be added and taken away on the fly without affecting the rest of the functionality on the FPGA.
Solutions exist today to make this possible, but work is ongoing to refine the partial reconfiguration frameworks from FPGA chip vendors so that it will allow any user to drop in IP blocks and not just FPGA experts.
What this enables, from a security perspective, is the ability to accelerate security functions when there is a need to process more data than normal. For example, a typical CPU core can perform encryption or decryption at around 1 Gbps. However, if 40 Gbps needs to be encrypted, then 40 CPU cores, or an entire server, is required. By offloading the encryption function to an FPGA, no CPU cores are required. All that is required is an FPGA card with support for partial reconfiguration.
Another example could be offloading Regular Expression (RegEx) searches to allow faster pattern matching, which can help accelerate SNORT or Suricata engines in IDS/IPS solutions.
From the above, it is clear that reconfigurable computing platforms have a great deal to offer in enabling faster, more powerful and more responsive cyber security solutions, both now and in the future.
About the Author: Daniel Joseph Barry (News - Alert) is VP Positioning and Chief Evangelist at Napatech and has over 20 years’ experience in the IT and Telecom industry. Prior to joining Napatech (News - Alert) in 2009, Dan Joe was Marketing Director at TPACK, a leading supplier of transport chip solutions to the Telecom sector. He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.