How Government Agencies Can Improve Security Threat Response
Network modernization initiatives require that government agencies review their current architectures and augment those architectures as needed. Part of the modernization effort includes infrastructure but an equal, possibly even larger, point of focus should be made into the underlying architecture itself. For instance, is there a visibility architecture in place to capture the necessity security data? This is important because how can you detect an indicator of compromise if you aren’t seeing the requisite data in the first place? There is nowhere to look, so you will miss it almost every time.
There are four actions that government agencies, and almost all enterprises for that matter, should consider to strengthen their network security architecture and mitigate cyber threats. These actions will accelerate security data acquisition and reduce manual processes. In addition, most IT departments should be able to realize more agile security response.
These actions are:
- Maximize intrusion prevention by updating perimeter threat detection technology
- Enhance real-time inspection of suspicious data
- Simplify the data capture and analysis process
- Automate responses to remove time delays in manual processes
While it is important to be able to identify threats, you also need to have the ability to pivot and mitigate once an attack or breach is recognized. Focusing on the four actions above let’s you do both.
For instance, threat intelligence gateways have been proven to reduce false positive security alerts. This is accomplished by pre-filtering known bad IP addresses and traffic from untrusted countries and removing it. This can be performed before or just after the data hits your firewall. This stops unwanted traffic from entering your network. By blocking large volumes of traffic based on IP address, location, and bad behavior, your security architecture performance is enhanced, which reduces your team’s “alert fatigue.”
In addition, most enterprise applications are now encrypted using the secure sockets layer (SSL) standard, or its updated version called transport layer security (TLS), to thwart security attacks and hackers. Unfortunately, bad actors have adapted to the new security defenses and are using encrypted data to their advantage. To thwart this new threat, encrypted data should be decrypted at the edge of the network allowing data inspection tools to see hidden malware in real-time.
A third consideration, monitoring data is often collected at multiple points within the network and from multiple types of devices (test access point (tap), switched port analyzer (SPAN), bypass switch, etc.). Since the data coming in from these devices is often unfiltered or minimally filtered, at least some of the data will need to be filtered before being sent on to the appropriate monitoring tool. Filtering means only the “right” information is sent to the tools and data can be segmented out so that only certain pieces of information go to specific tools. A network packet broker (NPB) is a specialized filtering device that make this objective easy. It also performs aggregation, load balancing, and packet manipulation.
Finally, one of the most powerful, but often overlooked, features for data center automation is automating the network packet broker. In this case, automation means packet brokers can initiate functions (e.g., apply filters, add connections to more tools, etc.) in response to external commands. Automation of network monitoring allows you to align your tools with dynamic network changes to increase operational efficiencies and create an adaptive monitoring environment.
If you want more information on this topic or network visibility solutions, check out the whitepaper A Four Step Approach to Improve Security Threat Response and the ebook The Definitive Guide to Network Visibility Use Cases.