Just as bacteria evolve around the technological barriers we put in their place, so too do the tactics and strategies employed by computer attackers. When a security measure is put in place, our enemies immediately set out to exploit its weakness. When they are repelled, they adapt their tactics and strategies, regroup and come back yet again.
There has also been an evolution in terms of intent and impact for electronic attackers. The intent has shifted from one of vandalism and joy-riding to that of financial gain. This shift has been accompanied by the organization of the attackers from that of individuals to international crime rings.
Is your enterprise network ready to answer these challenges?
Just as the terrorist threat has evolved and become more deadly in recent years, so too has the threat to enterprise networks. In the same way that security measures are being reconsidered in major cities around the world, enterprise CSOs and security gurus are realizing that the patchwork of point solutions they have deployed are no longer sufficient to defend against today's increasingly sophisticated attacks.
While security has always been a prime concern, the emergence of botnets and zero-day threats are exacerbating the need for real-time network performance and security solutions.
What is required today is a comprehensive approach that provides the enterprise with protection from the edge of its network, all the way through to the core of their data center, providing network-wide visibility and actionable intelligence. Like our national security initiatives, information security needs to take a risk management approach that not only provides protection from attacks but also the ability to identify and defeat threats before they strike.
Network Behavior Analysis
While the notion of profiling as a security tool is up for debate among politicians, information security professionals have reached consensus, and have subsequently developed an entire market segment around this very idea.
This emerging approach is called network behavior analysis, or NBA, which analyzes the patterns of behavior on an enterprise network so it can quickly detect and react to anomalies as they occur. NBA identifies the relationship between users, machines and applications and provides the visibility required to identify traffic shifts, floods, off-hours application usage and unauthorized network access so that the network can identify threats and react before it is affected.
Having this ability to proactively respond to emerging threats is paramount, especially when pitted against a threat - such as the one presented by botnets - capable of constantly adapting tactics in an effort to out-flank an enterprise's security measures.
Just as the collaborative sharing of information between different groups can go a long way toward mitigating the risk of physical threats, the same is true in warding off threats aimed at a network. NBA systems work with other elements of the network - from many different providers - so that they can accurately analyze network traffic data and provide both deterministic (signature) and non-deterministic (anomaly) threat detection.
Fortunately, NBA is emerging at a critical time for enterprise networks. Perimeter security defenses are well protected by Firewalls and Intrusion Prevention Systems (IPS) but until the emergence of NBA, internal threats have left enterprises increasingly vulnerable.
In a December 2005 report on the emergence of NBA, Gartner analyst Paul Proctor noted, "after an organization has successfully deployed firewalls and intrusion prevention systems (IPSs) with appropriate processes for tuning, analysis and remediation, they should consider network behavior analysis (NBA) to identify network events and behaviors that are undetectable using other techniques."
Proctor went on to position NBA as, "a last line of defense when preventive tools, such as firewalls and IPSs, fail to stop the real-time exploitation of vulnerabilities. They can also be used to detect new applications, behavior and devices for investigation."
In this cat and mouse game, our enemies always look to exploit the weakest link in our defensive chain, which increasingly is from within. To protect this potential Achilles Heel, NBA solutions are addressing this security weakness by providing real-time actionable intelligence that enables enterprises to:
- Actively defend their networks before, during and after botnet army attacks and worm outbreaks
- Thwart distributed denial of service (DDoS) attacks
- Determine if application performance anomalies are causing network performance problems
- Eradicate phishing solicitations
- Eliminate insider misuse
Who benefits from adopting NBA?
The first line of defense for enterprise networks - network administrators - benefit greatly because they have more sophisticated tools at their disposal. NBA provides complete visibility into network activity, enabling them to compare that activity against a baseline of normal behavior. When an anomaly occurs, they can react quickly and put in place measures that prevent threats from developing into full-blown attacks. Additionally, they can respond quicker to routine help requests because they have an effective remedy for dealing with security breaches inside the network.
The most important benefit of NBA solutions is to the enterprise itself. Specifically, when potential holes are buttoned-up, the enterprise can focus on its core business, while at the same time arming an increasingly mobile workforce with the knowledge and applications they need without fear of compromise.
Protection of critical enterprise data is among the highest priorities in Corporate America today. With the emergence of NBA, another potential vulnerability is being addressed. This is not to say that NBA solutions are a silver bullet to all our security problems; however, they are a good countermeasure to the current round of threats from attackers that have evolved over the past decade.
- G. Robert Malan is founder, chief technology officer at Arbor Networks.