Look to the Network (for Security Innovation)

September 2, 2015 Sam Curry


I get awfully tired of proclamations like “Firewalls are Dead” or “IDS is Dead,” as if any generation of technology is so hopelessly gone that it went useful to useless in a perfect, quantum leap change of state.  As if anything in the world is purely binary.  TS Elliot had it right, the end of anything usually happens with a whimper and not a bang; and the same is true of security technologies.  If anyone tells you that the perimeter is “dead” or that fill-in-the-blank security technology (AV, SIEM, FW, IDS, MFA, etc., etc.), then hold on to your wallets.  Because the kit that we use and the tools that we use and have deployed very widely continue to have utility and use long after their hype has peaked and receded.

It’s probably the mark of all technologies that they go through what Gartner would call a “hype” cycle before finding their optimal, snug home of utility.  And all of the technologies I’ve mentioned still exist, still have a role to play and many yet to come will likewise get launched, sail proud and eventually find a snug berth in some IT dock somewhere.  It’s arguable that a technology is only really mature when it goes through those phases and finds it’s sweet spot, but that’s a tangent from the real point of this blog: now is the time for the Network to re-assert it’s validity and to provide new options for changing the security game.

It’s arguable that IDS was at the forefront once of the network game, but it hit a wall that had two unfortunate consequences.  First, the noise-to-signal ratio became unmanageable and, inadvertently, created what became (through several painful phases) the SIEM industry.  Second, IDS tried to pull itself up by the bootstraps and evolve into IPS, which was a worthwhile direction and endeavor but ran into a problem of trying to increase fidelity at the same time as increase the ability to take action.  In a perfect storm, a series of bad corporate moves and acquisitions set IPS back, and it has been largely overlooked (and sometime snickered at) industry ever since.

This has lead to the current straits where the “network” (and I don’t mean perimeter to those thinking sandbox, firewall, next generation firewall, UTM and / or WAF here) is underserved.  If you look at the extensive categories around so called “Advanced Threat” technologies, network-based options are underserved.  This is a technology that won’t be as insecure as many will claim, but it has the most immediate and effective ability to change the Human-to-Human race happening between security departments and attackers.

Why is it so effective?  The most obvious answer is that network technologies can see the traffic.  That sounds obvious, but it means that all communications, all theft, all lateral movement is immediately and clearly visible to the network.  The only things it can’t see are attacks that come in physically, interact with an endpoint and leave physically without touching the network stack.

Done correctly, network-based recording and selective retention (and metadata) can let you retroactively look for things when signatures later become available — we call that “looping,” although I have heard of others calling that “retrospective analysis.”  Unlike endpoints, which are the site of controls, recording and compromise, the network isn’t in the critical compromise path in the majority of attacks, which makes it an out-of-band collection mechanism for post-event forensics, for back-tracking and tracing and for looking at “in the wild events.”

Network interception also sees the broadest swath of systems (which are the ultimate targets) of any interception point for east-west traffic, as opposed to purely north-south as at a perimeter.  If you want to collect and collate data, looking for patterns, applying machine learning or even doing white/black list signature checking, it’s far more efficient to do it from the network than from elsewhere.  Further, when the network requires updates and signatures, it represents only one point or a series of few points to update that can see everything instead of the interminable race and election/distribution algorithms to update individual and groups of machines that are very different in their operating environments, behaviors, availability and distribution.

Finally, the network presents a set of options to take action: you can use the network to interrupt command and control, to interrupt bots and tools, to segment, to isolate with the least impact to affected systems.  You aren’t in the kernel and the guts of endpoint systems and can instead quarantine them or monitor them with little risk of detection from endpoint-resident malware because the platform under attack isn’t also the probe.

Is the firewall dead?  No.  Is antivirus dead?  No.  Is IDS, IPS dead?  No.  Is SIEM dead?  No.  Not at all. But are they the best place to get an advantage for your people in winning the race against bad guys?  Also No.

The truth is that the network is the best place to deploy technologies to get a leg up.  The networks time has come and our IT environments need it.

There are challenges on the horizon, including increasing use of encryption (for which there are answers) and the adoption of technologies in virtual environments, clouds and the use of mobile and even IOT devices (for which there are also answers).  But the network is the place that is underserved today and provides the most meaningful complement to existing tools, teams and processes for getting results.

In the past 4 blogs, we’ve established that mature companies and those companies that aspire to mature try to get a leg up in the Human-to-Human race.  This means accepting that Infrastructure compromise is inevitable, painful as it is; and traditional tools can help minimize this; but Information compromise is “evitable” or avoidable.  To do this means freeing up spend from less effective tools (not eliminating them) and inverting the spending pyramid.  And it means investing in new, advanced tools and techniques, especially around network security, to win the race more often and more effectively.

The time for the next phase of network advanced threat technology is now!

The post Look to the Network (for Security Innovation) appeared first on Arbor Insights - Our People, Products and Perspective.


Previous Article
How to: Build a Business Case for DDoS
How to: Build a Business Case for DDoS

The academic calendar is back into full swing. Summer vacations are now just...

Next Article
Threat Never Takes A Vacation – Why the Staycation was invented
Threat Never Takes A Vacation – Why the Staycation was invented

Growing up, I never heard the word “staycation.” That would have been alien...