Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Fending off the modern day barbarians

Napatech : 20 July, 2016  (Special Report)
Dan Joe Barry of Napatech uses the analogy of Hadrians Wall to illustrate existing approaches to network security and how to take a more modern stance
Fending off the modern day barbarians

Until recently, the common thinking was that the best way to keep a network secure was a strong prevention strategy. The thought process went like this: attacks could be deflected by defense in depth and multiple layers of security. However, both recent and ancient history reveals that this strategy is too narrow to be effective. Hadrian’s Wall provides some insight on this point.

Why Hadrian Built His Wall

The Roman emperor Hadrian got tired of the barbarian unrest in the British Isles and ordered the construction of an 80-mile wall that stretched from coast to coast across what is now northern England. The wall had turrets so soldiers could be on the look-out and ditches on either side, as well as a fortlet at every mile and a full-sized fort every five miles.

But here’s what’s interesting about Hadrian’s Wall: scholars believe that it wasn’t designed to prevent invasion or large-scale migration. It was just too long and would have required too many troops at too great a cost just for defensive purposes. Though it could certainly slow an attacking army down, its main purpose seems to have been to keep out the smaller-scale threats: sneaky smugglers, thieves and traders hoping to avoid paying customs on their goods.

Network security faces a similar threat today. Cyber criminals use sophisticated tactics to sneak across the border undetected, and there aren’t enough guards to patrol the entire perimeter. As a result, security defensive measures are being surmounted every day – we just don’t always know it.

Beyond Turrets: Advanced Threat Detection

One of the biggest security issues today is the “smugglers and thieves” trying to get past the wall without notice. In today’s security environment, though, these threats can come from either side of the border – insider or outside the network. With the advent of Bring Your Own Devices (BYOD), larger USBs and malicious behavior by employees, the internal network has become vulnerable to attacks from within.

New types of solutions referred to as “Advanced Threat Detection” are rising to the challenge of a combination of zero-day-threats and attacks from within the internal network. These security detection solutions focus on detecting anomalous behavior in the network itself so that potential threats can be identified and dealt with before they cause damage. These are not a replacement for security prevention, but a complement. Both preventive and detective solutions are needed to counteract attacks, but the information gathered by both can also be used in retrospective analysis to determine if any further measures need to be taken and to learn from experiences.         

All this data, including that from monitoring logs and NetFlow information is important, but so is real-time packet capture and analysis, as well as recording of packet capture data for near-real-time and post-analysis. By analyzing data traffic, it is possible to build a profile of normal network behavior that can then be compared against real-time data or recorded data to detect if something out of the ordinary is occurring.

Barbarians Slipping Through the Gates

Information from security prevention solutions can be compared against the alert of potential malicious behavior to assess if an attack is underway. Conversely, it can be used to validate a threat alert from a security prevention solution that could be a “false positive.” In either case, there is great value in using this information to verify what is happening.

The Ponemon Institute’s report, “The Cost of Malware Containment,” estimated that in a typical week, an organization can receive up to 17,000 malware alerts. There are not enough resources to respond to each of these alerts, and the cost of responding is also significant. The average cost of time wasted responding to inaccurate and erroneous intelligence was estimated by Ponemon Institute to be up to $1.27 million annually for a typical organization.

Whether due to alarm fatigue or lack of centurions, only four percent of all malware alerts are investigated. The Ponemon Institute also found that prevention tools miss 40 percent of malware infections in a typical week. The longer this goes undetected, the larger the potential risk of a breach. This is the unguarded section of the security wall that many attackers exploit.

In order to deal with all these alerts, organizations need automated tools that can correlate information from multiple sources in order to determine the real situation and have the capacity to examine each and every alert. This requires big data analysis, machine learning and artificial intelligence solutions.

The benefit of automated tools includes combining intelligence from prevention and detection solutions to form a security solution that increases your success rate in detecting and preventing a security breach, while also making better use of your time-strapped security staff.

A Modern Plan for Preventing and Detecting Attacks

Clearly, a long and semi-fortified wall is not sufficient as the sole source of security. The Hadrian’s Wall mentality lulls us into the false belief that we are safe. But, as we have seen above, these defenses are breached every day, to an extent that security professionals can’t keep up.

Continuous monitoring and analysis lie at the heart of advanced threat detection solutions, not just of logs and NetFlow data but of packets themselves. Packet capture and network traffic analysis are therefore the very foundation that supports security detection solutions. Ensuring that you have an efficient and reliable security detection infrastructure is therefore paramount.

What should an effective security detection infrastructure be able to do? Here are a few suggestions:

1 Capture all traffic at all times without losing any data. This requires solutions with the capacity and speed to handle full theoretical throughput, not just to keep up, but also to avoid being overwhelmed by data deluges, which can be instigated as part of an orchestrated attack.

2 Analyze that data in real time, but also in near real time and forensically. This requires the ability to capture data reliably to disk and storage at full line rate without losing any data so a reliable forensic analysis can be performed after the fact.

3 The ability to go back and understand when and where a breach occurred is fundamental, since over 70 percent of breaches are detected by someone outside the organization after an average of 250 days. That requires the ability to replay what happened on the network exactly as it happened. You might think this an expensive insurance policy, but with the average cost of breach exceeding $3 million for a typical organization, as well as the cost to reputations and executive careers, perhaps it is an investment in self-preservation that can be justified?

Hadrian’s Wall did a fair job in its day. History does not record any invading horde overwhelming its defenses – but how many wily individuals snuck across the border undetected? That is the situation we face today, and it calls for continuous monitoring, security detection and automated tools for correlation of data alerts. This multi-tactic approach is the only way to keep cyber barbarians from crossing the line.

About the Author:

Daniel Joseph Barry is VP Positioning and Chief Evangelist at Napatech and has over 20 years’ experience in the IT and Telecom industry. Prior to joining Napatech in 2009, Dan Joe was Marketing Director at TPACK, a supplier of transport chips to the Telecom sector.  From 2001 to 2005, he was Director of Sales and Business Development at optical component vendor NKT Integration (now Ignis Photonyx) following various positions in product development, business development and product management at Ericsson. Dan Joe joined Ericsson in 1995 from a position in the R&D department of Jutland Telecom (now TDC). He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo