In this era of Big Data, it's antiquated that very rarely, if ever, are network administrators able to holistically view all the data generated by the various security solutions on their infrastructure. Rather, most network security components operate as standalone systems, so the data each produces must be viewed within its silo. Or, the data from each system can be aggregated manually, but this is nearly always a time and labor-consuming process. Yet, as organizations strive to integrate and contextualize data across their organizations, they should consider applying this same action to their security systems.
The reason this hasn't been commonly done can be attributed to the way security solutions are currently developed. Because most security solutions are built as proprietary tools, it's very difficult to create an integrated security ecosystem that enables the solutions to communicate with each other. In fact, network security is currently largely static and lacks the ability to act on information in real-time, especially taking into account the industry's standard methods currently rely mostly on email or web reporting. Since many companies cannot afford a 24/7 administrator to constantly police for threats, the next logical step would be to develop a real-time security solution for enterprise networks that works based upon the correlation of metadata. This would allow various components of an organization's infrastructure to share information when red flags are raised, enabling rapid and intelligent responses to potential security breaches.
Imagine, for instance, if intrusion detection systems (IDS), firewalls, VPNs and even door access systems could communicate and illustrate a real-time representation of a network. In this scenario, an IDS could identify a security breach originating from a remote user and then report this to the VPN, which would then shut down or limit access for that user. In breach scenarios, where seconds matter, this would eliminate the costly involvement of an administrator. Furthermore, with the influx of mobile devices into the enterprise, doing this manually would create an unmanageable work burden on network administrators.
This topic even gets more complex when bringing bring-your-own-device (BYOD) into the picture, as this increases the number of mobile devices, such as smartphones and tablets, accessing the corporate network. These devices are – not only used in a corporate environment – but also in different public networks and often cannot be controlled by corporate device management. Also, most of the well-known security programs, including desktops firewalls, antivirus or hard drive encryption, are not widely available exclusively for smartphones and tablets. This means the only way to securely protect your entire network is for all of these pieces of your security ecosystem to communicate and cooperate, enabling an accurate assessment for each device on your network.
Yet, the problem remains, most of today's security systems work isolated from each other. And if they offer interoperability, they do so only to a limited extent that is insufficient to counter the new threats network security faces every day. A new specification developed by the Trusted Computing Group (TCG) strives to solve this interoperability problem with the development of Interface for Metadata Access Points (IF-MAP), which provides the possibility to interconnect different IT-security systems for an accurate representation of the health status of an IT network. The ESUKOM research project aims to use this technology to automate security responses to network threats and enforce security policies without human intervention.
One of the core research elements of ESUKOM is extending and refining the IF-MAP standard to create an advanced metadata model for use across the entire security industry, with correlation algorithms to simplify the analysis of large metadata graphs. Also, by extending common open source tools, like Nagios, iptables or Snort with IF-MAP capability, the project is creating a critical mass of IF-MAP capable products for deployment in any corporate environment. The strength of IF-MAP increases with each new component that's made to be IF-MAP ready. And even today, the number of these products is increasing steadily. Let's close by considering a real-life situation that illustrates these benefits in action. Consider this increasingly common scenario of a remote employee using a tablet who encounters a typical security threat from the road, such as an unidentified network scan. Within an integrated security infrastructure, like the one being developed by the ESUKOM project, this would tip off the IDS to lock the network, then communicate with the VPN to turn remote access connections off. Because this would be automated, this process – which would manually take hours or days to notice the security violation – would be complete within a few seconds. And with security, as we know, every second matters.
