Are You Prepared for the Golden Hour of a Security Intrusion
Are you prepared for the Golden Hour of a network security intrusion? Most enterprises are not. According to an Ixia security resilience survey, many enterprises and carriers are still highly vulnerable to the effects of a security breach. So when an intrusion occurs, how quickly will you be alerted to the problem and then how quickly will you respond?
Medical Golden Hour
The Golden Hour of a security intrusion is the first 60 minutes of the intrusion into your network. The term Golden Hour actually comes from medical industry terminology. This is the first 10 to 60 minutes of a medical emergency, whether it be a heart attack, a stroke, an accident or whatever. The speed and quality of the health care assistance you receive within these first few minutes will have a profound effect upon the following:
- Whether you live or die
- Whether you will make a full recovery or not
- How long your recovery time will be
These minutes are so precious to human health because this is when most of the oxygen loss, blood loss and nerve damage to critical organs (brain, heart, etc.) occurs. If immediate assistance is received, fatal and long term damage can often be avoided, especially with today’s advancements in medical knowledge.
Network Golden Hour
A similar parallel can be drawn for network security because these first few minutes are when an intruder will do the most damage—like sabotage the network, steal intellectual property, plant malware, etc. Minutes matter when you’re dealing with an intruder. Unfortunately, a McAfee survey shows that for almost half of the companies they surveyed, it takes days or longer to detect that they have been hacked.
One way to combat the problem is to insert inline security tools. This is a proactive approach that allows you to respond in real-time to security threats. Inline tools allow you to prevent/limit your financial and intellectual property losses. You can also use the technology to shunt the intruder to a honey pot so that you can study the attack vector that the intruder used and further study exactly what they after.
When you insert security tools (or any tools for that matter) inline, you’ll want use a bypass switch first. The bypass switch gives you the ability to take your security tools in or out of service with no impact to the network. For instance, you might want to perform a software upgrade that requires a reset, physically move the tool, or replace the tool. The bypass switch gives you that flexibility.
Bypass switches also provide a fail-over capability. While some security tools have the bypass capability built into them, this capability can end up not working in certain situations when the software is malfunctioning. You also can’t use that capability when you replace the tool.
A network packet broker (NPB) is something you should also consider. This device would be inserted after the bypass but before the tool (see the diagram below). The NPB gives you more flexibility with High Availability solutions, tool chaining for better analysis of suspicious data, and data filtering to reduce unnecessary loading of tools.
The data filtering capability is the most popular use case for NPB’s. For instance, the NPB can reroute data that doesn’t need to be screened directly back into the network. A couple examples are video and voice traffic. This reduces the load on your intrusion prevention system (IPS) as well speed up the flow of network traffic.
Common security tools deployed inline include: IPS, firewalls, security information and event management (SIEM) systems, threat analysis tools and data loss prevention (DLP) tools. In the McAfee survey referenced earlier, it also indicated that 78% of respondents that were able to detect attacks in minutes were using a real-time SIEM to accomplish this. These tools can be effective in helping to limit the length of cyber intrusions.
If you’re looking for more information on inline security solutions, check out this webinar and whitepaper.