Attackers Are in Your Network: Leverage Big Data to Get Them Out

In a survey by the SANS Institute, 55 percent of respondents said that up to 30 percent of their security incidents this year should have been detected by perimeter security measures but weren’t.

In a survey by the SANS Institute, 55 percent of respondents said that up to 30 percent of their security incidents this year should have been detected by perimeter security measures but weren’t. The truth is that today’s attackers have become skilled at bypassing conventional defenses, which can no longer be solely counted on to protect enterprise networks. While still necessary, these tools now need to be bolstered by more advanced defensive strategies that are more closely aligned with the advanced techniques being used by attackers.

Protection from the Inside Out

Various terms have been applied to the concept, but on a basic level, organizations need to stop looking only at the outside of their network and instead investigate what is going on inside in order to truly protect their critical assets and data. We’ve established that attackers are easily infiltrating today’s networks – and according to the Ponemon Institute, malicious attacks take an average of 80 days to discover and 123 days to resolve. This timeline is way too long if we wish to keep confidential and proprietary data out of the hands of attackers.

While tools like SIEM and full packet capture can provide slices of visibility into the network, their scope is limited and they can be extremely time-consuming and cost-prohibitive if widely deployed. The best way to obtain comprehensive network visibility is by leveraging existing resources – or, as Cisco calls it, using your “Network as a Sensor.”

Routers, switches, firewalls and other network infrastructure devices inherently provide data on all transactions happening across a network via a protocol called NetFlow (as well as several NetFlow variants). Organizations can unlock the power of NetFlow by simply enabling it, and then collecting and analyzing it with a flow monitoring tool such as Lancope’s StealthWatch System.

From Big Data to Actionable Intelligence

When fully leveraged, NetFlow data can reveal countless valuable details about your network assets and behavior – who is talking to who, how much traffic is being transmitted, which devices and applications are being used, etc. It’s essentially Big Data for your network. This data can be used to build a baseline of normal network communications, and then reveal when something looks suspicious. Having this type of in-depth insight into your daily network goings-on is critical for effective threat detection, incident response and post-incident forensic investigations.

Beyond providing visibility, some flow monitoring tools can also distill this plethora of data into streamlined intelligence, finding the security “needle in the haystack” and automatically alarming on significant events that may indicate a threat. This is a concept known as security analytics, or context-aware security analytics for tools that also pull in supplemental data such as user identity, security policies, device specifications, known threats and so on.

Context-aware security analytics combine various sources of data, run the data through algorithms and compare it to historical network traffic trends to trigger more accurate alarms. Basically, security analytics turn Big Data into actionable intelligence without the hundreds of false positives that can result from less sophisticated tools. Armed with this intelligence, organizations can more seamlessly fend off network attacks – no matter if it’s malware, APTs, insider threats or a DDoS attempt. All of these attack methods would be sensed by your network as potentially malicious communications.

For example, perhaps an insider is repeatedly trying to access restricted areas of your network. Or maybe unusually large amounts of data are being sent out of your network, or an internal host is communicating with a suspicious IP address in a foreign country. An effective network visibility and security analytics tool can pick up on these behaviors and alert administrators to investigate them further.

Security Analytics for Automated Incident Response

In addition to more accurately detecting attacks, security analytics can save IT teams countless hours of manual investigation associated with using a variety of point solutions to piece together the details of an attack. This way, the incident response process can become more automated and efficient, thwarting attacks before they turn into large-scale data breaches that make news headlines.

“Security analytics is becoming the primary defensive tool we have for discovering when breaches have occurred and shutting them down before massive damage is inflicted,” said Richard Stiennon, cyber security expert and Chief Research Analyst for IT-Harvest. “The breaches at Target and Sony are great examples of what can happen to organizations that don’t do this.”

Many organizations that have recently been breached have hired a third party to come in after the breach and clean things up. However, this approach is not ideal because, well, the organization has already been breached, and since third-party incident responders know nothing about the organization’s environment, it takes them countless hours and dollars to gather intelligence and figure out what happened. On the flip side, if an organization is regularly monitoring and analyzing its own network data with the right tools, the security team is better equipped to pinpoint and stop an attack while it’s still happening – avoiding the disastrous results and costs associated with a breach.

No matter what you call it, the intelligent use of network data will become even more critical for security as organizations dive into new infrastructure projects such as cloud, SDN, IoT and BYOD. By enabling your network to be a security sensor, you can continue to detect a wide range of attack types regardless of how your architecture evolves.