Incident Response, Network Security, TDR

Time to rethink network security

In December, McAfee Labs reported that in addition to cloud-based and social media threats, the rapidly growing mobile platform will “draw the lion's share of threat innovation.” According to Arbor Networks, there was a 350 percent growth in the number of distributed denial-of-service (DDoS) attacks monitored at over 20Gb/sec in the first three quarters of 2013.

To confirm this very real threat, CloudFlare reported that its network had been hit by a 400Gbps NTP amplification DDoS attack, the largest attack to date using NTP amplification. The company stated that it has seen this method of attack grow dramatically over the past six months, posing a significant new threat to the web.

As these examples illustrate, network security continues to be a growing problem in the IT industry. The very trends that have revolutionized users' access to data are the same ones that are leaving networks vulnerable to attacks by cyber criminals. No single security product can fully defend against all network intrusions, but a smart combination of existing products can provide a more flexible solution. IT administrators must examine all avenues to ensure that network monitoring and security appliances are working at full capacity to monitor, detect and halt potential attacks.

Cloud computing, Big Data analysis and mobility are three recent trends in the IT industry that, while improving the efficiency and effectiveness of digital services, have also generated significant threats to network security. Cloud computing centralizes data and makes it accessible anytime, anywhere. Unfortunately, it also provides cyber criminals with fewer, and more valuable, targets. Big Data analysis offers a sophisticated overview of complex information; however, such a wealth of sensitive information in a centralized location provides an irresistible target for miscreants. Mobility allows convenience; it permits users to access data on the network from a variety of devices. But it has become painfully clear to enterprises around the world that they also severely compromise network security.

With increasing data availability, cyber attacks are becoming more common every year. Evidenced by the CloudFlare event, cyber criminals are becoming smarter, innovating new methods to penetrate defenses and often using several different kinds of attacks in combination.

To successfully defend against this, a holistic view is required to provide administrators with a complete overview of security solutions running on the network. Today, it has become necessary to monitor how the network is behaving to ensure that no attacks have penetrated the security solutions in place. To do this successfully these solutions must be capable of monitoring and reacting in real-time.

Most networks already have monitoring appliances in place, such as a firewall, an intrusion detection or prevention system (IDS/IPS) or data loss prevention (DLP) application. Some products that consolidate these methods into one appliance include universal threat management (UTM) and next-generation firewalls, but single point solutions can only ever address one part of the problem at a time.

Another solution to network security uses the concept of security information and event management (SIEM) which is based on the centralization of information from both network and security appliances to provide a holistic view of security. This is a real-time solution, constantly monitoring the network to detect any anomalies that might arise. That means that both network and security appliances need to be able to provide data on a real-time basis to ensure that anomalies are detected the moment they occur. This, in turn, means that each of the appliances must be capable of keeping up with growing data loads and speeds.

One of the easiest ways of disrupting the security of the network is to overload the security and network monitoring appliances, such as using a DDoS attack to render the centralized SIEM system blind. This is a real threat if these appliances are not capable of operating at full throughput. 

Best practices today for securing the massive throughput of data on the network suggests the use of intelligent network adapters that are used in both network monitoring and security appliances to guarantee full throughput under maximum load. By instituting adapters that can scale network throughput and combine different port speeds, the data can then be intelligently distributed to one, or multiple, security or network monitoring applications running on the same physical server—without compromising CPU performance.

The information from network and application monitoring applications can then be used to build network behavior profiles. The administrator can then utilize real-time information on network and application usage to detect anomalies as they occur. These anomalies can then be compared to data from security appliances to identify if an attack is underway.

Cyber attacks will only continue to increase. The adoption of cloud computing, Big Data analysis and mobility, while improving efficiency, have unfortunately exposed critical vulnerabilities in networks. By utilizing SIEM systems on standard servers with intelligent network adapters, OEM vendors are able to provide solutions that can identify and respond immediately to any detected anomalies in the network.

By focusing on data delivery and scalable performance and implementing monitoring and security appliances intelligently, network administrators are able to build centralized security solutions that can help protect networks in the years to come.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.