On Aug.15, 2012, Saudi Arabia’s national oil and gas company, Aramco, suffered a debilitating cyber attack. More than 30,000 computers were rendered inoperable by the Shamoon virus. U.S. Secretary of Defense Leon Panetta described this virus as the most destructive weapon ever used against the business sector.
Network security is a growing problem in the IT industry today. The very trends that have revolutionized users’ access to data are the same ones that are leaving networks vulnerable to attacks by cybercriminals. No single security product can fully defend against all network intrusions, but a smart combination of existing products can provide a more flexible solution.
Three recent trends in the IT industry have improved the efficiency and effectiveness of digital services: cloud computing, big data analysis and mobility. Cloud computing centralizes data and makes it accessible anytime, anywhere. Unfortunately, it also provides cybercriminals with fewer, and more valuable, targets. Big data analysis offers a sophisticated overview of complex information; however, such a wealth of sensitive information in a centralized location provides an irresistible target for cybercriminals.
Mobility allows convenience; it permits users to access data on the network with different devices, such as mobile phones and iPads. But this severely compromises security as these devices do not have the same protections as the typical corporate laptop.
With increasing data availability, cyber attacks are becoming more common every year. The cost of these attacks to business, though declining from 2010 to 2011, is still high. According to the Ponemon Institute and Symantec (News - Alert) Research, the average cost of a security breach in the United States was $5.5 million in 2011.
Cybercriminals are becoming smarter, innovating new methods to penetrate defenses and often using several different kinds of attacks in combination. For example, a hacker can utilize a distributed denial of service attack as a diversion for introducing malware into a network. In the case of the attack in Saudi Arabia, cyber terrorists utilized a virus in a spear phishing attack in an attempt to disrupt international oil and gas markets.
There are many types of security appliances and solutions deployed in networks, each with its own specific focus. However, these solutions are rarely coordinated, which hackers exploit using a combination of attacks.
To successfully defend against this, some kind of coordination is required between the various security solutions so a complete overview can be provided. But, even this is not enough, as detecting zero-day threats (new attacks that have never been seen before) is very difficult. It is therefore necessary to also monitor how the network is behaving to make sure that no attacks have penetrated the security solutions in place. To do this successfully requires that all these solutions are capable of monitoring and reacting in real time.
Most networks already have monitoring appliances in place, such as a firewall, an intrusion detection or prevention system or data loss prevention application. Some products that consolidate these methods into one appliance include universal threat management and next-generation firewalls. But single point solutions can only ever address a part of the problem.
Another solution to network security uses the concept of security information and event management, which is based on the centralization of information from both network and security appliances to provide a holistic view of security. This is a real-time solution, constantly monitoring the network to detect any anomalies that might arise. That means that both the network and security appliances need to be able to provide data on a real-time basis to ensure that anomalies are detected the moment they occur. This, in turn, means that each of the appliances must be capable of keeping up with growing data loads and speeds.
One of the easiest ways of disrupting the security of the network is to overload the security and network monitoring appliances using a DDoS attack rendering the centralized SIEM system blind. This is a real threat if these appliances are not capable of operating at full throughput. By assuring that they can, you have just removed another potential attack vector.
Edited by Stefania Viscusi