4 Things Secure Networks Have in Common
The Group of Seven (G7) published a 3-page document this week entitled G7 Fundamental Elements of Cyber security for the Financial Sector. It outlines 8 fundamental elements of cyber security for financial companies and banks. The United States Federal Reserve and the Treasury Department support the guidelines and are encouraging the financial sector to participate.
One of the 8 elements outlined is Monitoring. The monitoring element section in the paper recommends financial institutions:
Establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises.
Monitoring is a practice that all enterprises must do in some form or another, not just financial sector enterprises. Passive monitoring (also known as out-of-band monitoring) is a fundamental tenant of performance management and threat detection. Some enterprises also use inline security tools like firewalls and intrusion prevention systems (IPS) to actively protect their perimeter from cyber security breaches. Both active and passive tools operate in the same way - they are fed a healthy dose of network traffic. That traffic is analyzed and produces event logs and alerts. Some enterprises consolidate logs and centralize rulesets to generate alerts using a security information and event management (SIEM) system.
While each network’s toolset is a little different, there are four things secure networks have in common.
- They can access data anywhere
There are sources of traffic and there are destinations for traffic. Sources are tapped network links or SPAN ports. Secure networks don’t want their tools to miss any network traffic, so every single link is tapped. If a security tool isn’t fed the network traffic, it may miss something critical.
- They provide resilience to inline security tools
When enterprises deploy security tools inline, they want to protect their perimeter. The goal is to block bad traffic from entering their network. Inline security tools inspect active network traffic looking for threats, but they are also inline, which means they could compromise the flow of legitimate network traffic if they slow down, need maintenance, or stop working altogether. Most enterprises want to control whether or not network traffic passes when an inline security device is down and so they use programmable bypass switches to constantly monitor the health of inline tools and either reroute traffic around failures or block it altogether. With bypass switches, the method of failover becomes the choice of the secure network administrator.
- They only send relevant traffic to monitoring tools
When enterprises deploy security tools out-of-band, they are passively monitoring network traffic. As they tap more network links and segments, the traffic that aggregates to a network packet broker (NPB) increases and also contains duplicate packets. Context-aware data processing is the capability to look at each packet, identify its application type, source location, and other characteristics to intelligently decide which tools need the packet, which don’t, and which packets are duplicates. The NPB’s job is to analyze each packet and apply the rules and filters setup by the administrator to distribute only relevant network traffic to each security, monitoring, and analysis tool. Context-aware data processing is the intelligence engine that processes packets at line rate and feeds them to the tools that need them.
- They eliminate tool inefficiencies and protect sensitive data
More and more network traffic today is encrypted. Many passive monitoring tools waste analysis cycles decrypting packets before they can look for security threats like malware. This process is inefficient; provided the tool is capable of decryption in the first place (many tools are not). Security intelligence processing centralizes packet decryption and can even mask sensitive information like credit card and social security numbers (eg. XXX-XX-XXXX) before delivering clear text packets to the tools. Inline security tools also have inefficiencies that can be eliminated. For instance, many of these tools use deep-packet inspection on each packet looking for threats. This requires extreme processing capabilities to keep the packets flowing fast. But now it’s possible to identify and block known bad traffic before it gets to your inline tools. This can be done at line rate with a threat intelligence gateway because it doesn’t perform deep packet inspection. Instead, it uses a continuously updated rap sheet database of IP addresses that are known to distribute malware, viruses, and other attacks and compares it to the IP address in the packet header. Only when it is 100% sure the traffic is bad, will it block it. And when it does, it leaves inline tools focusing on suspicious and legitimate traffic only, not the traffic coming from a known source of threats.
With these four things in place, a security fabric is formed. Check out the infographic titled Four Things Secure Networks Have in Common that visually expands on the methods, techniques, and products used in secure networks.