Nmedia - Fotolia
In the high-stakes, cat-and-mouse game of cybersecurity, the only real constant is change. The number of new threats is escalating, and the attack surface is growing, too. Businesses today rely more extensively than ever on Internet-connected devices, services and data -- from machine-to-machine communication and the Internet of Things (IoT), to bring your own devices (BYODs) and bring your own cloud (BYOC) applications.
One thing this tidal wave of new targets has in common? Their exposure to network-borne threats is 24/7. From Heartbleed to FREAK, criminals continually exploit low-hanging fruit by finding new bugs in widely deployed software and old gaps that resurface in new technologies.
Effectively spotting and stopping these evolving network threats requires not just vigilance, but new approaches. It's unrealistic to expect enterprise defenses to block all attacks or eliminate all vulnerabilities. Furthermore, manual threat assessment and intervention simply cannot scale to meet these challenges. Network security monitoring that is more pervasive, automated and intelligent is critical to improve situational awareness and drive timely threat response.
The Importance of Network Threat Visibility
According to the Ponemon Institute's "2014 Cost of Cyber Crime: United States," the most costly cybercrimes are those caused by denial of service attacks, malicious insiders and malicious code, leading to 55% of all costs associated with cyberattacks. Not surprisingly, costs escalate when attacks are not resolved quickly. Participants in Ponemon's study reported the average time to resolve a cyberattack in 2014 was 45 days, at an average cost of $1,593,627 -- a 33% increase over 2013 cost and 32-day resolution. Worse, study participants reported that malicious insider attacks took on average more than 65 days to contain.
The increasing frequency, diversity and complexity of network-borne attacks is impeding threat resolution. Cisco's 2015 Annual Security Report found that criminals are getting better at using security gaps to conceal malicious activity; for example, moving beyond recently fixed Java bugs to use new Flash malware and Snowshoe IP distribution techniques (increasing spam by 250%) and exploiting the 56% of Open SSL installations still vulnerable to Heartbleed, and others, or enlisting end users as cybercrime accomplices.
In this era of BYOD, BYOC, IoT and more, achieving real-world security for business-essential connectivity requires more visibility into network traffic, assets and patterns. "By understanding how security technologies operate," Cisco's report concluded, "and what is normal (and not normal) in the IT environment, security teams can reduce their administrative workload while becoming more dynamic and accurate in identifying and responding to threats and adapting defenses."
Be aware of the risks
According to Gartner analyst Earl Perkins, speaking at the Gartner Security & Risk Management Summit in June 2015, advanced threat defense combines near-real-time monitoring, detection and analysis of network traffic, payload and endpoint behavior with network and endpoint forensics. More effective threat response begins with advanced security monitoring -- including awareness of user activities and the business resources they access, on-site and off. However, security professionals are also experiencing information overload. Advanced visibility therefore comes from more intelligent use of information through prioritization, baselining, analytics and more.
Perkins recommends deploying network security monitoring technologies based on risk. At a minimum, every enterprise should take fundamental steps, including properly segmenting networks and defending business assets with traditional network firewalls, intrusion prevention systems (IPS), secure Web gateways and endpoint protection tools. These defenses serve as sentries -- armed guards stationed at key entrances to ward off basic threats and sound alarm at the first sign of attack. For threat-tolerant businesses with low-risk, these fundamentals may be sufficient.
However, most organizations at risk will want to consider more advanced network security monitoring tools and capabilities such as next-generation and application firewalls, network access control (NAC), enterprise mobility management (EMM), and security information and event management (SIEM). These technologies go deeper by examining more traffic content or endpoint characteristics. They broaden visibility by monitoring more network elements, including mobile devices and activities. Ultimately, they can produce more actionable intelligence by knitting together disparate events into more cohesive threat alerts -- especially for advanced persistent threats that might otherwise be missed entirely.
Finally, risk-intolerant organizations may wish to go even further, using network and endpoint forensics to routinely record all activity, enabling look-back traffic, and payload and behavior analysis. Unlike real-time monitoring technologies, forensics tools focus on identifying past compromises -- but this can be important to spot, for example, those long-running insider attacks. Forensics can also help enterprises identify gaps in their defenses, enabling them to adapt and to better prevent future attacks.
Put Network Security Monitoring Tools to Work
To take advantage of new advanced network security monitoring tools, it can help to get a handle on industry advances and why new technologies and capabilities have emerged.
Let's start with that staple of network monitoring, the traditional network firewall. Single-function firewalls long ago morphed into unified threat management (UTM) platforms, which combine firewall, IPS, VPN, Web gateway, and antimalware capabilities. However, even UTMs tend to focus on network traffic inspection. When application payload is examined, it's for a specific reason such as blocking a blacklisted URL, content type or recognized malware.
In contrast, next-generation firewalls are application-aware. That is, they attempt to identify the application riding over a given traffic stream -- even an SSL-encrypted session -- and apply policies specific to that application and perhaps to the users, groups or roles. For example, a next-generation firewall isn't limited to blocking all traffic to Facebook. It can allow only marketing employees to post to Facebook, but not to play Facebook games. Or it can simply monitor how workers interact with Facebook and generate alerts when activity deviates from that baseline. This granularity is only possible because the firewall can identify applications and their features -- including new applications it will learn about in the future. Increasingly, next-generation firewalls are learning through machine-readable feeds that not only deliver new threat signatures but intelligence about new attacks and IPs, devices or users with bad reputations. This ability to adapt and learn is key to keeping up with new cyberthreats.
While intrusion prevention remains a cornerstone of network monitoring, it has expanded in several dimensions. First, as enterprise networks move from wired to wireless access, wireless IPS has become essential. At a minimum, enterprises can use rogue detection built into wireless LAN controllers. Risk-averse enterprises may invest in wireless IPS to scan the network 24/7 for threats, including some otherwise hidden IoT and unauthorized BYOD communication.
Second, intrusion prevention now extends beyond the enterprise network to mobile devices. For example, EMMs can be used to routinely assess mobile device integrity, alerting administrators to jailbroken, rooted or malware-infected devices and automatically protect the enterprise by removing network connections or business applications from those devices. The ability to look beyond the traditional enterprise network edge is key to avoiding blind spots.
SIEM technologies have also evolved from simply aggregating and normalizing events produced by enterprise network-connected systems and applications; now it combs that data with contextual information about users, assets, threats and vulnerabilities to enable correlation and analysis. According to Gartner, SIEM deployment is growing, with breach detection now overcoming compliance as the primary driver. As a result, SIEM vendors have expanded capabilities that target breach detection, such as threat intelligence, anomaly detection and network-based activity monitoring -- for example, integrating NetFlow and packet capture analysis. SIEM not only helps enterprises pull monitored data together, but now it can intelligently sift through that haystack to pinpoint internal and external threats.
A new market segment has started to emerge: breach detection systems (BDS). These technologies are being driven by startups that are working to apply big data analytics to monitored information, profiling user- and device-behavior patterns to detect breaches and facilitate interactive investigation. According to NSS Labs, a BDS can identify pre-existing breaches as well as malware introduced through side-channel attacks -- but should be considered a "last line of defense against breaches that go undetected by current security technologies, or are unknown by these technologies." Risk-intolerant enterprises that have tried other advanced security monitoring tools but are plagued by advanced, persistent threats may wish to investigate this new technology.
When attacks inevitably break through enterprise network defenses and evade real-time detection, another advanced monitoring tool can be helpful: network forensics appliances. Network forensics also analyzes monitored data, but in a different way, for a different purpose. Like a network DVR, these passive appliances record and catalog all ingress and egress traffic. By delivering exhaustive full-packet replay, analysis and visualization quickly, network forensics appliances support cybercrime investigation, evidence gathering, impact assessment and cleanup. Here, the idea is to avoid limitations associated with real-time monitoring -- that is, having to spot everything important right when it happens. Network forensics makes it possible to go back and take a second look, to find what other monitoring systems might have missed.
The Bottom Line
As we have seen, advanced network security monitoring cannot be accomplished through isolated static tools. Rather, monitoring must occur at many locations and levels through the enterprise network and beyond, create a comprehensive data set that an increasingly smart and dynamic collection of analysis tools then scours. Only in this way can we respond quickly and effectively to emerging cyberthreats that have learned how to fly under the traditional network radar.
About the Author
Lisa Phifer owns Core Competence Inc., a consultancy specializing in safe business use of emerging Internet technologies. Phifer is a recognized industry expert on wireless, mobile and cyber security.
Enterprises can apply tips to their security monitoring practices based on the government's CDM program
How to set up a network performance baseline