Visibly transform security

Cyber security has maintained a heightened level of attention in the media. Wikileaks and its aftermath, Stuxnet, Aurora, and other attacks against corporate and government entities have clearly demonstrated an increasing level of sophistication by adversaries. Modern network-based emerging threats initiated by state-sponsored actors and organized criminal communities are utilizing a combination of cyber and social obfuscation techniques to completely evade current security prevention techniques.

Facing this level of sophistication, enterprises can no longer afford to wait months, weeks, or even days before new threat vectors are identified and made public. According to the Growing Risk of Advanced Threats study by the Ponemon Institute, 80 percent of respondents said it takes a day or longer to detect an advanced threat and 46 percent said it takes 30 days or longer. If an information security strategy involves waiting until security vendors release signature updates or software vendors release patches to close the gap on exposed vulnerabilities, the enterprise is already compromised.

Today's enterprises employ a variety of preventative security tools that have been perimeter-based, primarily at Layers 3 and 4, and require signatures or a foreknowledge of an attack before action could be taken. These network defenses do not provide adequate visibility into the current threat landscape or allow a security team to be nimble in their response. Combating advanced threats requires a new strategy with more focus on detection than prevention.

For detection of advanced problems, such as zero-day malware, command and control traffic and sensitive data exfiltration, enterprises need complete visibility into what is happening across the network at all times. This can only be achieved through a network security monitoring capability that accurately analyzes all network traffic, fuses external threat intelligence, and gathers data generated by applications, networks, users, and security systems in real-time. This capability includes the requirement for visibility into threats and encrypted malicious traffic hiding in approved traffic types, and using approved ports and services.

Many seasoned security experts have used network data for forensics purposes for years.  Historically, most network forensics work has been associated with small-scale, post-facto analysis in support of incident investigations, or in less frequent situations, as part of an organized cyber threat intelligence team.  As a result, automated threat intelligence and real-time network forensics have grown to be critical components of defense in depth and continuous network security monitoring strategies.  During the last few years, top security teams across critical infrastructure organizations such as communications, financial services and government have adopted real-time network security monitoring as an absolute requirement for day-to-day security operations.   

Network security monitoring is not the same as log management or security information and event management (SIEM), which are valuable to the extent that data sources have useful information and are properly integrated, but they lack event context. With network security monitoring, the security team is working with full packet data which contains the richest network data with traffic reconstruction and provides context and content to all data sources. Forward-thinking organizations have benefited from integrating their SIEM with a network security monitoring capability to create actionable real-time analytics that drive more effective and efficient remediation efforts and support the organization's security objectives.

A successful strategy against cyber threats begins with the recognition that your organization will be compromised.  The challenge is to develop a comprehensive network security monitoring program that incorporates the best aspects of existing investments with exciting innovative approaches to network visibility and data analysis to achieve real-time, precise advanced threat detection and incident response. Real-time network security monitoring provides a new and powerful capability for security practitioners to obtain the level of visibility and agility necessary to confront complex IT security issues.  Security practitioners can be empowered to dramatically improve existing incident management, investigations, and overall security operations, and achieve a powerful advantage toward mitigating significant risks to the organization.

About

Allan Carey is currently Director of Product Marketing at NetWitness, creator of the enterprise standard in network monitoring. He has previously advised Fortune 1000 organizations on information security strategies through in-depth market analysis and industry intelligence.