Analysts in the Security operations (SecOps)departments of large organisations are being confronted by new multi-vectored threats that are more serious than ever. During the last two years, it has become clear that no organisation is immune to data loss through malicious security breaches. According to Verizon’s 2012 Data Breach Investigation Report, for example, of 855 incidents researched, 174 million customer records were compromised.
It’s no wonder that SecOps teams are being asked to chase more alarms as organisations scurry to invest in additional tools to battle malware and data theft. After all, most attacks are now motivated by profit and political gain rather than out of sport or to create mischief. IT needs to adjust its attitude from a reactive, putting-out-fires mode to a proactive stance toward quick response and resolution of issues and finding root causes and eradicating them for good.
The most security-aware organisations have determined that the only way to accomplish this is to add a new category of tool; specifically, a comprehensive intelligent network recording (INR) fabric. An INR fabric overlays the physical switched network and monitors and records, in a searchable format, 100 per cent of packets with 100 per cent accuracy. This approach gives analysts the data they require to quickly and successfully investigate, contain and establish the root cause of security events.
Most monitoring tools installed today, while useful, supply clues to bad packet behaviour that could be erroneous or misleading. This results in guesswork and, often, lengthy mean and maximum times to mitigate and resolve, during which enterprises lose data, productivity and money. The tools also fall short because they deliver summaries and averages of network behaviour based on packet sampling, not the complete picture.
Today’s attack types
Today’s malicious attacks on large organisations have been designed to destroy, disrupt or steal corporate assets, and most attacks are focused on services hosted within corporate data centres where they are most difficult to investigate because of the vast numbers of data flows.
These attacks are exposing not only the dependency that organisations have on their networks for business continuity, but also the shortcomings of the tools that organisations rely on. And today’s growing emphasis on virtualisation means that many of the physical ports IT once relied on for data gathering are vanishing. Instead, the only source of data is packets on the wire.
As noted, the nature of cybercrime has shifted from mischief to hacking for monetary profit or political advantage. As a result, new types of attacks have cropped up that circumvent traditional firewalls, intrusion detection / prevention systems, unified threat management (UTM) systems and antivirus software. SecOps staffs are already overwhelmed trying to battle the known problems as they continually chase alarms, some of which turn out to be false positives wasting time.
Organisations at the forefront of security have recognised these issues and are beginning to change their investment profiles to include INR packet-recording and search tools that help analysts find and respond to problems fast and reduce the impact of a real security breach through an effective containment strategy.
Where existing tools fall short
Today’s daily global threats challenge today’s intrusion prevention and detection devices. Most traditional security tools face two major barriers to pinpointing malicious attacks:
- Packet loss on the ingress ports
In the case of a DDoS attack, traditional appliances are overloaded. The result is the loss of packets - packets that might have contained a piece of information critical to mitigation.
- Performance exhaustion during data analysis
If threat and detection appliances are able to capture the target data, they often stall when trying to rapidly finesse a large amount of data into something useful to analysts. Attacks typically throw 50Gb /sec or more at networks, resulting in machines slowing or crashing, thus losing data that is key to addressing the threat.
These issues can leave network and SecOps teams vulnerable. Yet most security teams today continue to focus their investment on technologies that help them to prevent and detect network security problems.
SecOps challenges and best practices
A day in the life of most analysts involves investigating a laundry list of security events to establish whether the event is real and what the risk is to the business. The major challenges faced by SecOps teams include the sheer volume of events, the slow time to visibility and the lack of useable information.
However, the real challenge here is that organisations with many prevention and detection tools might actually expose themselves to greater risk, because they lack the available operational resources to investigate the sheer number of events necessary to maintain an acceptable level of event coverage.
For organisations most at risk from attack (such as web giants, financial institutions and gaming companies), recent history has prompted them to re-think their investment profile to include a greater level of investment in response and root cause capabilities.
Quick response and root cause determination
Included in this much needed response and root cause toolkit is a fabric of INR appliances that continuously capture, index and record network traffic at strategic points across the data centre. Organisations typically deploy appliances in the demilitarised zone (DMZ) and at all internet gateways to ensure that all of the traffic coming into and leaving the network is recorded.
Not only is the ability to record 100 per cent of traffic at actual line rates (1, 10 or 40 Gb /sec) critical to effective response and root cause, but the ability to search the recorded traffic quickly and efficiently is equally important.
Searching through terabytes of network traffic requires a special graphical search engine that enables users to start out with a high-level view of the network and zoom in to the exact traffic that they need to determine what happened. To be effective, the search engine must be able to search multiple appliances simultaneously, correlate data and provide a rapid response to complex queries based on a wide range of filters including application classification.
Conquering false negatives
Successful breaches where real data gets out into the public domain are extremely serious and can have profound impact on how customers and prospects feel about an organisation. In the worst situations, billions of pounds can be wiped off a company’s share price or bottom line, but the problem with detection is that it’s an imprecise science.
Detection tools can only trigger on events that are known, which is their biggest weakness. In a zero-day attack or in the case of an advanced persistent threat (APT) , there is no signature, so there’s no way to detect a problem that’s leaving organisations exposed until they receive updated signatures from their respective security vendors.
An INR fabric provides the ability to go back in time and mine network history in response to a breach, regardless of whom by or how it was discovered and buys the organisation time to manage the situation.
Conclusions
INR is gaining momentum and is advocated by industry experts, such as Richard Stiennon (a leading security consultant), who advises companies to record as much of their network traffic as possible to help with network security forensics1.
At the core of the INR fabric value proposition is the ability to improve analysts’ productivity and throughput by streamlining their workflows. By investigating more events in the same amount of time, organisations also improve their overall security posture through better coverage.
And of course, in the event that the worst does happen, INR gives organisations the ability to react quickly and reduce the impact, essentially offering a degree of insurance against network security breaches.
