What Is Network Security Resilience – Part 1
It’s not a question of IF your network will be breached, but WHEN. News broadcasts for the last several years have shown that most enterprise networks will be hacked at some point. In addition, the time it takes for most IT departments to notice the intrusion usually takes months. Over six months according to the Ponemon Institute. Recent breaches (like Panera Bread Company that was breached for 8 months and Saks 5th Avenue and Lord & Taylor that was breached for around 1 year) are clear examples of this. Unfortunately, this gives hackers plenty of time to find what they want and exfiltrate whatever information they want.
This means that traditional security defense models are failing. Since some might take issue with this statement, here’s some interesting statistics that I have found. Hopefully none of this comes as a surprise to you.
- In 2017, the Identity Theft Resource Center counted 1,579 U.S. breaches, up 45% from 20161
- 80% of cybersecurity and IT experts anticipate a “catastrophic” data breach at their companies by 20212
- Only 30% of businesses have a cyber defense plan3
- Only 19% of businesses are highly confident in their organization’s ability to mitigate and respond to a cyber event3
- The average length of time from intrusion to identification is 191 days4
- 57% of breached companies have to be informed of the breach by someone else (law enforcement, business partners, customers)5
- 68% of breaches happen over the course of days6
- 2017 Cyber breach costs increased 22.7% over 20164
As the first bullet indicates, security breaches are up 45%. In addition, 80% of cybersecurity experts expect a catastrophic data breach at their companies by 2021. At the same time, only 30% of businesses have a solid cyber defense plan and only 19% are confident that they can correctly recognize an attack in real-time and stop any damage from being done. What is even worse though is that the average time from intrusion to detection takes 191 days and over half of victimized companies never discover the breach themselves. As mentioned earlier, Panera Bread Company was breached for 8 months and Saks 5th Avenue was breached for almost a full year. In addition, over half of the victimized companies never discovered the breach themselves. That’s right. A strong majority of businesses have to be informed by a 3rd party, like the police or their customers, that they have been breached. Now that’s a scary proposition.
The second to last bullet is also an interesting one. Consider this, according to the 2016 Verizon DBIR report, almost 68% of breaches happen over the course of several days. Let me repeat that, breaches happen over the course of days – it’s not just a single short-term incident, but often a long-term campaign. Based upon this information, this means that a rapid response to security threats could help minimize the cost of a breach by stopping the ongoing infiltration in a shorter period of time. Unfortunately, this isn’t the norm. As I just mentioned, the average time for breach detection is 191 days. This gives the intruder plenty of time to do their dirty work and exfiltrate any data they want.
What if you could reduce that time to 1 month, i.e. cut it to 1/6 of the time? Or maybe reduce it further to one week, or maybe just one day? What if you could go further? Would that be of interest to you?
Let’s suppose you say yes. What can you do to minimize your corporate risk and the cost of a breach? Nothing is fool proof but there are actually some activities you can implement to help. One new approach proposed by Keysight Technologies and others is to create a resilient security architecture model. The intent is to create a solution that gets the network back up and running (after a breach has occurred) as fast as possible. While prevention should always be a key security architecture goal, a resilient architecture tactic focusses on recognizing the breach, investigating the breach, and then remediating any damage as fast as possible.
Typical security defenses have focused on the following items: firewalls and basic access list restrictions, inline devices like and IPSs and WAFs, SSL decryption of suspect packet data, out-of-band security tools like DLPs, IDSs and SIEMs, and then penetration testing. These protection mechanisms are geared around network access and architecture vulnerabilities. And these are good activities. But the net needs to be widened.
Access restriction is a good thing—whether you implement black listing or white listing. Strengthening the network against vulnerabilities is also a good thing. However, there are a couple other things to include in your architecture like addressing policies and procedures. You need clear policies and enforcement of those policies with formalized procedures.
Another key ingredient is monitoring and auditing. You need to capture and analyze data from key portions of the network. What’s also important is that you create a coordinated plan to perform this. Network visibility is integral to network security. Basically, you can’t defend against things you can’t see or measure.
Once you put all four of these building blocks together, you’ll start to create a formidable architecture. Now we all know it gets more complicated as you drill down into the details, but we’ve talked to many engineers who haven’t even considered some of the basics I just mentioned here.
Okay, so now you’ve created your basic outline for your architecture. What do you plan to implement? For instance, there are all sorts of components and policies you can implement. But to what end?
If you look at security architectures in a simplistic way, you’ll find that there are some basic categories. There are three common ones that I see. The first is a “best effort” approach. Either the security engineer, executive or someone has said, “We need to install some level of security.” This typically involves implementing firewalls, some basic security components, and maybe some basic auditing and monitoring.
The next rung up the ladder is regulatory compliance. This is often an executive-level initiative. The thought here is that business needs compel the company to be compliant to PCI, HIPAA or some other standard. The further thought is that this should make the security architecture even more robust. Unfortunately, while compliance may be necessary for auditing purposes, it does not guarantee security.
The third level is essentially the defensive approach—"I’m going to make this network so secure that no one is going to break into it”. This is when all those inline and out-of-band devices are deployed. You can even create defense in depth strategies for prevention. For instance, if someone gets through Port 80 on the firewall, the next step is to challenge the data with DPI (deep packet inspection). There’s other things you can do as well like implement prevention, detection and response processes.
Unfortunately, these architectures all have at least one thing in common, they can and are being breached. Look at the stats we went over earlier. Networks are being breached with no sign of a slowdown. Something else is needed.
This is where a resilient security architecture approach can help. Resilience means the ability of an entity to return to its original form after being bent, stretched or compressed. From our perspective, we are specifically talking about the ability of an IT network to recover to normal, steady state operations after a security attack and breach have occurred. It’s not really new, but at the same time, it doesn’t get as much attention as the defensive approach and all these new defensive capabilities like Blockchain or whatever. However, from the perspective of a breach, security resilience is one of the most important activities you will ever perform because the “time to observance” and “time to remediation” can be reduced. In short, you get attacked, defenses get breached, the network is compromised, the threat is discovered, the damage is fixed, and then the network is secure again.
A “resilient approach” allows you to:
- Strengthen your capabilities to defend against attacks
- Maximize your ability to rebound from an attack
- And minimize the severity and cost of security breaches<
Here is a visual illustration of all four architectures:
Network security resilience then is the set of activities that can be conducted to help the network after the breach happens. So, to be clear, the Best effort, Compliance, and Defensive strategies we talked about earlier are all focused on preventing a breach. This security resilience strategy is about “after breach” activities.
Specific activities are too long to discuss here but they essentially include:
- Deploy threat intelligence gateways to prevent the exfiltration of data to known bad IP addresses
- Use application intelligence to help find indicators of compromise (IOC)
- Decrypt SSL-based monitoring data with a network packet broker (NPB) to distribute data to forensic tools for faster analysis
- Implement adaptive monitoring using the automation capabilities of an NPB to respond to SIEM instructions in near real time to pass suspect monitoring data to data loss prevention (DLP) tools for analysis
- Install a security attack replay capability to capture security data and view it in the lab to acquire a tactical analysis of how breaches took place
- Conduct cyber range training so security engineers can recognize threats faster and practice responding to them properly
- Use threat simulation capabilities in your security lab to understand better how new threats behave
- Capture and filter monitoring data, and then send that data to a purpose-built device to look at traffic patterns and IOC
You can get more information about Network Security Resilience in this whitepaper. In part two of this blog, I’ll dive into the details and best practices of Network Security Resilience. You can also read the whitepaper on Best Practices for Security Resilience.
1. 2017 Annual Data Breach Year-end Review. Identity Theft Resource Center. Jan. 2018
2. 2018 Study on Global Megatrends in Cybersecurity, Ponemon Institute. Feb. 2018.
3. By the Numbers: Global Cyber Risk Perception Survey. Marsh and Microsoft. Feb. 2018.
4. 2017 Cost of Cyber Crime Study, Ponemon Institute
5. 2017 Trustwave Global Security Report
6. 2016 Verizon Data Breach Investigations Report (DBIR)