Enterprise security teams today are facing challenges on multiple fronts. The number of security breaches is increasing, which means the number of security alerts to be examined each day is increasing. The attacks are becoming more sophisticated and multi-dimensional. The number of cybersecurity solutions available continues to grow, which requires time and effort to understand. The amount of data in the network is snowballing, which means the cybersecurity infrastructure needs to be constantly updated to keep up. What’s worse is that all this is happening in the midst of new networking paradigms related to cloud, virtualization and software-defined data centers.
Meeting these challenges requires new solutions and frameworks that can address three major issues: providing more intelligent and predictive cybersecurity, enabling faster response and resolution of security alerts, and providing smarter, more powerful products that can provide the level of detail required to make the entire solution work. By tackling these issues, the emerging concept of reconfigurable computing can play a significant role.
The current approach to cybersecurity based on security appliances installed at critical points in the network with an overemphasis on threat prevention solutions is being called into question. It simply isn’t enough and needs to be complemented with, not only threat detection solutions to catch breaches that have circumvented threat prevention solutions, but also more intelligent cybersecurity solutions that have the ability to correlate information from multiple sources to quickly filter out the noise and prioritize the right security alerts on which to focus.
What is equally important is the ability to quickly resolve a security incident with access to all the details required to make a fast assessment. With the number of attacks and security alerts increasing, it is important that security incidents are analyzed and resolved as quickly as possible. To do this effectively, the right forensic tools need to be available that can quickly retrieve detailed information on what exactly occurred at the time of the security alert.
Today, a trade-off needs to be made between the quality and granularity of information available and the resources required to provide that information. This is especially true of network data. It is an issue related to the power and capacity of cybersecurity solutions in the face of growing data rates and volumes, but also the networking resources consumed by continuously monitoring network activity.
Reconfigurable computing solutions can contribute to addressing these challenges in a number of ways. A reconfigurable computing platform is a combination of a standard server and FPGA technology. The FPGA provides a powerful complement to the server CPU and is ideal for accelerating workloads that can be parallelized. In addition, FPGAs can be reconfigured on the fly to support new capabilities and even completely different applications as the functionality of the FPGA is defined by a software image that is downloaded to the FPGA. This makes the FPGA extremely versatile in addressing multiple needs.
In addressing the major needs for more intelligent cybersecurity solutions, faster response and more powerful appliances, reconfigurable computing platforms provide specific advantages.
Let’s start with more powerful appliances first, as this is the most common application of reconfigurable computing technology today. Several security appliances take advantage of FPGA Smart NICs in standard servers, what we refer to as a reconfigurable computing platform, to accelerate data plane processing. This ensures that the security appliance can keep up with growing data speeds and volumes, and the advantage of FPGA technology is that it can be reconfigured when required to support new speed rates and new capabilities with remote software updates.
Because FPGA technology has the capacity and power to keep up with high-speed networks, it is also possible to perform full packet capture of all network traffic and provide that for analysis. Normally, this is provided in real time, but since this can be a lot of data, only some of which might be relevant, it is not always the best approach. Two options are then available. The FPGA-based Smart NIC (News - Alert) can provide sampled flow records, like NetFlow or IPFIX instead, reducing the amount of information to be transported and analyzed or the packet data can be recorded directly to disk and stored for analysis on-demand.
The advantage of the flow record approach is that the sample rate can be adjusted so that the record can be based on examining every packet rather than one in every 100. This provides a level of control to allow finer detail when required.
With a combination of sampled flow records and the ability to retrieve specific recorded packets on demand for deeper forensic analysis, the security team can get the details they require, when they require them, to resolve incidents quickly. What’s more, they can control the amount of networking resources needed to do it.
So, now we have seen examples of how reconfigurable computing solutions can be used to provide more powerful solutions and faster response to security incidents. But, what about more intelligent solutions?
In part 2, we will take a look at the latest thinking around how cybersecurity solutions can be made more intelligent, helping the beleaguered security team to focus on the right incidents and how reconfigurable computing is essential to making this a reality.