Next-Gen Network Monitoring: The Missing Piece of the Puzzle
Written by Jesse Rothstein, CEO and co-founder of ExtraHop Networks
If 2014 has taught us anything, it’s that IT security is falling behind the threats against which it is supposed to protect, and the gap is widening quickly. From data breaches at major retailers to serious zero-day vulnerabilities such as Heartbleed and Shellshock, the events of the last 12 months have caused everyone with an interest in IT security, including the C-suite, to stand up and take notice.
The good news is that the industry is taking the implications of these breaches to heart, recognising that traditional perimeter-based approaches to IT security are no longer sufficient. To protect against today’s increasingly sophisticated threats, IT professionals must look beyond known vectors and perimeter defenses. New solutions must be proactive, pervasive, and persistent. They must be able to detect and defend against known threats while identifying and quickly reacting to unknown ones.
To tackle this challenge, IT teams are starting to focus on continuous observation of activity on the network inside the perimeter. Industry numbers indicate this shift: according to new research from Enterprise Strategy Group’s Jon Oltsik, “61 percent of enterprises now divide their network security equally between perimeter and internal networks.”
Today’s threats pose to challenges to traditional security models, but there are ways modern IT teams can protect against not only the barbarians at the gates, but also against those that have already breached the walls.
Advanced, Persistent Threats Expose Cracks in the Traditional Security Model
Many security tools today run on the host system, including privilege models, firewalls, and antivirus software that scans for known malware. While host-based security offers some basic protection, the reality is that there are always flaws and vulnerabilities that can be exploited. Potential threats include malware capable of privilege escalation or other ways around access controls. And as soon as the malware is within the host, the chances that you’ll ever find it using traditional tools are slim. Unless it’s designed specifically to call attention to itself, today’s sophisticated malware is stealthy enough to fly under the radar indefinitely.
The second traditional approach involves perimeter security, which includes firewalls as well as both Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). These technologies form the basis of what is colloquially known as the M&M approach to IT security, which forms a hard shell around the perimeter but leaves the internal network a soft target. The problem with this model is that today’s advanced persistent threats often utilise credentials stolen from contractors or take advantage of zero-day vulnerabilities. Moreover, most IDS and IPS products rely on signatures, which means they have to know what to look for. How can IDS or IPS catch attacks that no one has seen before?
Looking to the Network: A Data-Focused Approach to Security
As threats have become increasingly able to circumvent the more traditional security models, a new data-centric approach has emerged. Log files are one important source of visibility, as IT can look at the data a machine is self-reporting to determine if there are anomalies. The problem with using log files alone is that self-reporting is inherently unreliable. One of the first things that attackers do when they have compromised a system is modify the logs in order to cover their tracks. With logs, you only know if there’s a problem if the machine logs a problem.
While logging and host-based protections can be evaded, wire data is inherently observational, providing a view of all lateral communications between systems. Even if an advanced persistent threat has established a foothold within the internal network, it cannot avoid connecting with other systems as it performs reconnaissance, stages data for exfiltration, and receives command-and-control messages. With the depth and richness of visibility provided by wire data, IT and security teams are armed with the information and insight they need to detect anomalies and perform forensic investigation. If a particular host begins communicating with a database that it has never encountered before, security teams detect the communication and then determine which resources were accessed, who did the accessing, and when.
This comprehensive visibility has proven its value recently with the Shellshock vulnerability. As soon as the vulnerability was announced, enterprises and datacenters were immediately bombarded by hackers looking for vulnerable servers. Using traditional security tools, IT teams faced challenges when attempting to determine which servers were being hit and by whom. However, by looking at the communications between systems on the network, especially HTTP messages containing the exploit attempt in a header, teams could see exactly which servers were being probed and by whom.
As with any approach, using wire data for IT security has its challenges. The nature of today’s threats also means that the monitoring must be done in real time. Discovering a breach that occurred yesterday implies that your systems are already compromised.
The sheer volume of data on the wire is also a challenge. First, analysis systems must be able to scale to wire speeds to deliver a comprehensive and persistent view of the network. Second, the monitoring platform that you select must be able to parse out relevant data in order to pare down the data to a reasonable volume for storage purposes. Recording all of the data from a single 10Gbps link will fill up 100 TB in just 24 hours. This level of activity can’t be sustained long term, especially as we look forward to 40Gbps and 100Gbps networks.
Next-gen monitoring that utilises wire data is already proving to be a powerful complement to more-traditional security models. As enterprise IT and security teams increasingly recognise the shortcomings of the traditional model as a standalone solution, demand for next-gen and wire data intelligence solutions will increase. In turn, expect to see both new innovation and market consolidation as established players look to meet this customer demand.
