Security Feature

According to the April 2016 Symantec Internet Security Threat Report, there were 431 million new malware variants discovered in 2015, representing a 36 percent increase over 2014. On average, a new zero-day threat was discovered each week, representing a 125 percent increase compared to 2014. It is not just the large corporations and governments that are experiencing attacks, either; 43 percent of spear-phishing attacks were directed against small businesses.

From these figures, it is clear that a veritable cyber-siege is underway that affects us all. Many recent factors have converged to create greater complexity and threat opportunity in the network, undermining the effectiveness of security prevention solutions. Bring Your Own Device (BYOD) can act as a Trojan horse to gain access to the network, and employees or contractors can knowingly or unwittingly mishandle data in a way that results in a breach. Cloud computing also provides new opportunities for attackers, who are constantly looking for novel ways to breach the wall by exploiting vulnerabilities.

For instance, one of the latest developments is the non-malware attack. In this scenario, no malware is downloaded to the user’s computer. Instead, a malware script is activated that exploits vulnerabilities in Flash, Web browsers and other existing tools on the computer. As many of the security prevention solutions installed are focused on preventing malware download, this attack nullifies the effectiveness of a large part of the security architecture.

Detection is Key

To complement these security prevention solutions, an additional layer of advanced threat detection can be deployed based on user and network behavior analysis. These internal advanced threat solutions rely on continuous monitoring of network activity to first establish a profile of normal network behavior and then compare real-time activity to this profile to detect anomalous behavior. When used in conjunction with the information from other security solutions, it can provide the first indication that a breach has taken place.

This solution is particularly effective in combating non-malware attacks as it does not rely on detecting file downloads, but on detecting activities that are out-of-the-ordinary giving the security team the basis for further investigation.

The fundamental capability underlying network behavior analysis is the ability to analyze all network traffic in real time. This requires packet capture solutions that can deliver each and every packet for analysis without packet loss, even at speeds up to 100G.

Recording for Reconstruction

The Ponemon Institute (News - Alert) reports that 70 percent of breaches are detected by third parties. This is the call that every C-level executive dreads, and the immediate concern is to determine the extent of the breach and the company’s exposure. The C-level executive will expect his security team to be able to report exactly what happened, when it happened and why it happened within a matter of hours.

Unfortunately, most security solutions today are built to prevent and detect solutions in real time or at least near-real-time. The ability to reconstruct the anatomy of an attack in detail is often impossible, especially if the attack took place up to six months ago. There is therefore a strong case to be made for establishing the capability to record network traffic in a way that will allow the reconstruction of a breach even months after the fact.

A packet capture-to-disk or network recording capability allows every packet on the network to be recorded at speeds up to 100 Gbps, but can also provide multiple security analysis applications access to the same data. This allows deep-dive analysis of reliable network data on demand to support near-real-time forensic analysis or analysis of breaches several months in the past.

The Shift to Adaptive Security

In Designing an Adaptive Security Architecture for Protection from Advanced Attacks, Gartner (News - Alert) elaborated on the concept of an adaptive security architecture first proposed in 2014. In the analysis, Gartner concluded that there is an over-reliance on security prevention solutions, which are insufficient to protect against motivated, advanced attackers. The alternative proposed was an adaptive security architecture based on the following critical capabilities:

• Preventive capabilities to stop attacks
• Detective capabilities to find attacks that have evaded preventive capabilities
• Retrospective capabilities to react to attacks and perform forensic analysis
• Predictive capabilities to learn from attacks and industry intelligence to improve   capabilities and proactively predict potential new attacks

The foundational and enabling capability underpinning the adaptive security architecture framework is the ability to perform continuous monitoring and analytics, including network monitoring and analysis.

The Basis for Adaptive Security

With the addition of advanced threat detection solutions, next-generation SIEM solutions and packet capture capabilities, we now have in place the infrastructure to support an adaptive security framework:

With this infrastructure, it is possible to prevent known attacks, detect zero-day threats and detect anomalous behavior that can indicate breaches that have circumvented defenses. The alerts and information from each solution are correlated and condensed by solutions like security information and event management systems that will enable security teams to quickly focus their attention on the most important threats.

Should the worst happen and a breach is detected late, the ability to fully capture and record each packet allows the anatomy of an attack to be recreated, allowing a quick determination of the extent and impact of the breach, as well as the ability to learn and prevent such a breach from happening again.

Fortunately, the solutions and the technologies to implement them are available today. Security prevention and detection solutions must work together for a holistic view of network activity. The ability to record network data for near-real-time forensic analysis and post-breach analysis are an essential part of this comprehensive approach. Security becomes adaptive and available both in the moment and after the fact for complete network visibility.

About the Author:

Daniel Joseph Barry (News - Alert) is VP Positioning and Chief Evangelist at Napatech and has over 20 years’ experience in the IT and Telecom industry. Prior to joining Napatech in 2009, Dan Joe was Marketing Director at TPACK (News - Alert), a leading supplier of transport chip solutions to the Telecom sector.  From 2001 to 2005, he was Director of Sales and Business Development at optical component vendor NKT Integration (now Ignis Photonyx) following various positions in product development, business development and product management at Ericsson (News - Alert). Dan Joe joined Ericsson in 1995 from a position in the R&D department of Jutland Telecom (now TDC). He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.