Leverage Big Data to Get Rid of Network Attackers
Jul 21, 2015 7:00 AM PT
Up to 30 percent of their firms' security incidents this year should have been detected by perimeter security measures -- but weren't -- said 55 percent of respondents to a SANS Institute survey.
The truth is that today's attackers have become skilled at bypassing conventional defenses, which no longer can be counted on to protect enterprise networks on their own. While still necessary, these tools now need to be bolstered by more advanced defensive strategies that are closely aligned with the advanced techniques attackers use.
Protection From the Inside Out
Various terms have been applied to the concept, but on a basic level, organizations need to stop looking only at the outside of their network and instead investigate what is going on inside, in order to protect their critical assets and data.
Attackers are infiltrating today's networks easily -- and malicious attacks take, on average, 80 days to discover and 123 days to resolve, according to the Ponemon Institute. This time line is way too long if we wish to keep confidential and proprietary data out of the hands of attackers.
While tools like SIEM and full packet capture can provide slices of visibility into the network, their scope is limited, and they can be extremely time-consuming and cost-prohibitive if widely deployed.
The best way to obtain comprehensive network visibility is by leveraging existing resources -- or, as Cisco calls it, using your "Network as a Sensor."
Routers, switches, firewalls and other network infrastructure devices inherently provide data on all transactions across a network via a protocol called "NetFlow," as well as several NetFlow variants. Organizations can unlock the power of NetFlow simply by enabling it, and then collecting and analyzing it with a flow monitoring tool.
From Big Data to Actionable Intelligence
When fully leveraged, NetFlow data can reveal countless valuable details about your network assets and behavior -- who is talking to whom, how much traffic is transmitted, which devices and applications are being used, etc.
It's essentially big data for your network. This data can be used to build a baseline of normal network communications, and then reveal when something looks suspicious. Having this type of in-depth insight into your daily network goings-on is critical for effective threat detection, incident response and post-incident forensic investigations.
Beyond providing visibility, some flow-monitoring tools can distill this plethora of data into streamlined intelligence, finding the security "needle in the haystack," and automatically alarming on significant events that may indicate a threat.
This is a concept known as "security analytics," or "context-aware security analytics" for tools that also pull in supplemental data such as user identity, security policies, device specifications, known threats and so on.
Context-aware security analytics combine various sources of data, run the data through algorithms and compare it to historical network traffic trends to trigger more accurate alarms. Basically, security analytics turn big data into actionable intelligence without the hundreds of false positives that can result from less sophisticated tools.
Armed with this intelligence, organizations can fend off network attacks more seamlessly -- no matter if they consist of malware, APTs, insider threats or DDoS attempts. All of these attack methods would be sensed by the network as potentially malicious communications.
For example, perhaps an insider is trying repeatedly to access restricted areas of your network. Or maybe unusually large amounts of data are being sent out of your network, or an internal host is communicating with a suspicious IP address in a foreign country. An effective network visibility and security analytics tool can pick up these behaviors and alert administrators to investigate further.
Security Analytics for Automated Incident Response
In addition to more accurately detecting attacks, security analytics can save IT teams countless hours of manual investigation associated with using a variety of point solutions to piece together the details of an attack. Thus, the incident response process can become more automated and efficient, thwarting attacks before they turn into large-scale data breaches that make headlines.
"Security analytics is becoming the primary defensive tool we have for discovering when breaches have occurred and shutting them down before massive damage is inflicted," said Richard Stiennon, chief research analyst for IT-Harvest. "The breaches at Target and Sony are great examples of what can happen to organizations that don't do this."
Many organizations that recently have been breached have hired a third party to come in after the breach and clean things up. However, this approach is not ideal because, well, the organization already has been breached, and third-party incident responders know nothing about the organization's environment -- it takes them countless hours and dollars to gather intelligence and figure out what happened.
On the flip side, if an organization regularly monitors and analyzes its own network data with the right tools, the security team is better equipped to pinpoint and stop an attack while it's happening -- avoiding the disastrous results and costs associated with a breach.
No matter what you call it, the intelligent use of network data will become even more critical for security as organizations dive into new infrastructure projects, such as cloud, SDN, IoT and BYOD. By enabling your network to be a security sensor, you can continue to detect a wide range of attack types, regardless of how your architecture evolves.