April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Network surveillance for combating advanced threats
Today’s threat actors are becoming more sophisticated, advanced and diverse. Widespread virus and worm outbreaks are no longer the only worries for IT administrators; they must now also defend their infrastructure against malicious insiders and the Advanced Persistent Threat (APT).
While the security industry has put a lot of emphasis on blocking attacks at the perimeter and detecting known malware through the use of signatures, these strategies are no longer enough.
The missing piece of the puzzle in many government and enterprise information security programs is internal network visibility. Monitoring and analyzing all of the activity taking place on the internal network is a necessity for network security today. Technologies, such as firewalls, antivirus, IDP/IPS and SIEM, all have a role to play in combating network threats, but they miss the mark when it comes to network visibility, leaving a wide open gap in enterprise security strategies.
This gap is evident to attackers, as well as to incident responders, who have the tough job of reconstructing what happened once a system has been breached. However, by combining conventional security technologies with a solution that provides internal network visibility, organizations can more effectively identify, investigate, halt and prevent advanced attacks, including insider threats and APTs.
It is also important to recognize the role of human incident responders in combating advanced security threats. No security solution is going to automatically detect and block APTs and insider threats while the IT staff is asleep. While enforcement mechanisms are critical to a healthy network, they cannot replace the need for a vigilant, skilled set of eyes watching for emerging and targeted threats.
The best solutions harness the strengths of both automated and human analysis -- helping professional incident responders monitor their systems and comb through the masses of information there to find the subtle indicators that sophisticated attacks leave behind. Next-generation network visibility technologies can help in this regard by turning the network into an always-on sensor grid for detecting suspicious behavior.
The most comprehensive and cost-effective means of obtaining visibility and protection across the internal network is leveraging existing infrastructure. Vast amounts of security insight can be obtained by collecting and analyzing flow data such as NetFlow from routers, switches, firewalls and other flow-enabled devices already deployed within the network. Like a call record, flow data can show who is talking to whom within a network, for how long, using which devices, and so on.
By leveraging flow-based monitoring solutions, administrators can baseline normal behavior and then easily identify when a host is doing something it shouldn’t be -- whether it be logging in from an unfamiliar location, beaconing, communicating with a questionable external IP address, sending out unusually high amounts of traffic, and the list goes on.
In the case of APTs and insider threats, flow-based monitoring can fill in the dangerous blind spot left by conventional solutions. Instead of only revealing nefarious traffic going in and out of the network, it can also clearly depict the spread of attacks on the internal network, providing faster insight than can be obtained through manual forensic analysis of compromised machines.
When you are living with an advanced threat, you are playing a non-stop game of cat and mouse on your computer network. The need to collect and analyze intelligence isn’t a one-time requirement that occurs as the result of a single incident. It needs to be an on-going part of an organization’s defensive operation, and tools such as flow-based monitoring can make it easier to adopt this best practice.
Tom Cross is director of security research at Lancope, Inc. He can be reached at: