April 2017 Digital Edition

Click Here

March 2017 Digital Edition

Click Here

Feb. 2017 Digital Edition

Click Here

January 2017 Digital Edition

Click Here

Nov/Dec 2016 Digital Edition

Click Here

Oct 2016 Digital Edition

Click Here

Technology Sectors

Market Sectors

Network surveillance for combating advanced threats

Tom Cross

Today’s threat actors are becoming more sophisticated, advanced and diverse. Widespread virus and worm outbreaks are no longer the only worries for IT administrators; they must now also defend their infrastructure against malicious insiders and the Advanced Persistent Threat (APT). 

While the security industry has put a lot of emphasis on blocking attacks at the perimeter and detecting known malware through the use of signatures, these strategies are no longer enough. 

The missing piece of the puzzle in many government and enterprise information security programs is internal network visibility. Monitoring and analyzing all of the activity taking place on the internal network is a necessity for network security today. Technologies, such as firewalls, antivirus, IDP/IPS and SIEM, all have a role to play in combating network threats, but they miss the mark when it comes to network visibility, leaving a wide open gap in enterprise security strategies. 

This gap is evident to attackers, as well as to incident responders, who have the tough job of reconstructing what happened once a system has been breached. However, by combining conventional security technologies with a solution that provides internal network visibility, organizations can more effectively identify, investigate, halt and prevent advanced attacks, including insider threats and APTs. 

It is also important to recognize the role of human incident responders in combating advanced security threats. No security solution is going to automatically detect and block APTs and insider threats while the IT staff is asleep. While enforcement mechanisms are critical to a healthy network, they cannot replace the need for a vigilant, skilled set of eyes watching for emerging and targeted threats. 

The best solutions harness the strengths of both automated and human analysis -- helping professional incident responders monitor their systems and comb through the masses of information there to find the subtle indicators that sophisticated attacks leave behind. Next-generation network visibility technologies can help in this regard by turning the network into an always-on sensor grid for detecting suspicious behavior. 

The most comprehensive and cost-effective means of obtaining visibility and protection across the internal network is leveraging existing infrastructure. Vast amounts of security insight can be obtained by collecting and analyzing flow data such as NetFlow from routers, switches, firewalls and other flow-enabled devices already deployed within the network. Like a call record, flow data can show who is talking to whom within a network, for how long, using which devices, and so on. 

By leveraging flow-based monitoring solutions, administrators can baseline normal behavior and then easily identify when a host is doing something it shouldn’t be -- whether it be logging in from an unfamiliar location, beaconing, communicating with a questionable external IP address, sending out unusually high amounts of traffic, and the list goes on. 

In the case of APTs and insider threats, flow-based monitoring can fill in the dangerous blind spot left by conventional solutions. Instead of only revealing nefarious traffic going in and out of the network, it can also clearly depict the spread of attacks on the internal network, providing faster insight than can be obtained through manual forensic analysis of compromised machines. 

When you are living with an advanced threat, you are playing a non-stop game of cat and mouse on your computer network. The need to collect and analyze intelligence isn’t a one-time requirement that occurs as the result of a single incident. It needs to be an on-going part of an organization’s defensive operation, and tools such as flow-based monitoring can make it easier to adopt this best practice. 

Tom Cross is director of security research at Lancope, Inc. He can be reached at:

[email protected] 


Recent Videos

HID Global is opening the door to a new era of security and convenience.  Powered by Seos technology, the HID Mobile Access solution delivers a more secure and convenient way to open doors and gates, access networks and services, and make cashless payments using phones and other mobile devices. ...
Mobile device forensics can make a difference in many investigations, but you need training that teaches you how to get the most out of your mobile forensics hardware and software, and certifies you to testify in court. Read this white paper to learn how to evaluate mobile forensics training...
PureTech Systems is a software company that develops and markets PureActiv, its geospatial analytics solution designed to protect critical perimeters and infrastructure.  Its patented video analytics leverage thermal cameras, radars and other perimeter sensors to detect, geo-locate, classify, and...
PureTech Systems is a technology leader in the use of geospatial video, focusing on perimeter security.  When combining geospatial capabilities with video analytics and PTZ camera control, managers of critical facilities can benefit by allowing the video management system to aid them in the process...