Keith Bromley
Sr. Manager, Product Marketing at Ixia
Blog

Network Security Resilience Reduces Breach Risk and Cost

August 21, 2018 by Keith Bromley

It has been stated many times that for most companies it’s not a question of IF you will be breached, but when. The good news is that being forewarned makes you forearmed. So now that you know, what will you do about it? Doing nothing won’t help your company and it won’t help your career either.

Common wisdom says that you should invest millions more of company money into more equipment to prevent hackers from breaching your system. While it is important to make your IT defenses as strong as possible, there also comes a point of rapidly diminishing financial returns. Basically, every dollar invested yields pennies (not dollars) in return.

An alternative (companion) approach is to accept that some bad actor will make it through any defenses you throw at them. Once you make this mind shift, now you can focus on deploying network security resilience. I have spoken about this topic before and you can read a couple whitepapers (Security Resilience—The Paradigm Shift is Here and Best Practices for Security Resilience) on the topic as well. A video podcast on the topic is also available.

Network security resilience allows you to create an architecture to minimize the damage and cost that a bad actor can accomplish. The great thing is, there are lots of activities you can implement to help your company out in this area. Here are some examples:

  • Capture and filter monitoring data, and then send that data to a purpose-built device(s) to look at traffic patterns and indicators of compromise (IOC)
  • Use automation to improve response times for data captures and limit/prevent exfiltration of data
  • Use threat simulation capabilities in your security lab to understand better how new threats behave
  • Thoroughly test your security fixes and run “what if” scenarios to validate that you have the right fix
  • Conduct ongoing cyber range training to keep IT personnel skills up to date to recognize specific attack signatures and attack vectors faster

The first thing to do is to limit the amount of time of intrusion. The average length of time from intrusion to identification is 191 days, according to the Ponemon Institute’s 2017 Cost of Cyber Crime Study. This timeframe needs to be shortened. Just adding taps and a network packet broker allows you to quickly and easily capture and filter key monitoring data. That data can then be sent to a purpose-built device(s) to look at traffic patterns and indicators of compromise (IOC) to limit the amount of time that the intruder goes unnoticed in your network. Even if you reduce the time of intrusion from 191 days to 30 days (which is still a lot), you have decreased the time from intrusion to detection by about 84%.

Application intelligence capabilities (like AppStack) can be used to identify the applications running on your network and the geolocation of data transfers within your network. For instance, maybe there is someone in Eastern Europe that has connected to your network, then connected to your FTP server in Dallas and is transferring data back to Eastern Europe. If you have no authorized users in that geographic area, this is suspicious and could very well be an indicator of compromise. Furthermore, with visual dashboards, it’s pretty easy to spot.

Automation is another key activity. Once the packet broker is installed, you can connect a RESTful interface to a SIEM or other device. This allows those devices to send commands to the packet broker and automate the creation of specific data captures. Eliminating manual intervention delays speeds up data threat identification dramatically.

Active SSL decryption is another activity that should be considered. While there is some effort involved to set this capability up. Over 50% of malware threats are now hidden by encryption. This is a huge potential risk that can be reduced by deploying decryption solutions (like SecureStack).

Another form of automation is to implement threat intelligence gateways (like ThreatARMOR) that receive constant known bad IP address updates. This means that should a bad actor find a way into the network, a new updated list of known bad IP address may identify communications coming or going to that address and immediately kill that transmission path. So, a bad actor may get in but hopefully you can prevent the exfiltration of data to that entity. If so, you have now just prevented an intrusion from becoming a breach.

Once you have captured suspicious data and identified suspicious behavior, security threat testers (like BreakingPoint) can be used to help identify the type of attack and how it would behave. This allows you track down potentially hidden code (malware) deposited by the attack that might have otherwise gone unnoticed. You can also use the threat testers to test your security fix to see if it will actually stop a repeat attack in the future, i.e. validate that there was nothing missed in your design before you roll it out network wide.

Cyber range training is another good activity to keep IT personnel skills up. Despite the name, this activity is not just for the military or government agencies. Enterprises can, and should, conduct regular training to help reduce intrusions and the cost associated with a breach. Purchasing a training service is a good way to reduce the cost of this type of activity, which is miniscule compared to the cost of a breach.

You can get more information about what Network Security Resilience is from this whitepaper. You can also read this whitepaper on Best Practices for Security Resilience. A third resource provides some examples on how to reduce breach risk and cost with security resilience. A video podcast on the topic is also available.