NC1701
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
FEATUREREAL-TIME DETECTION<br />
SITUATIONALLY AWARE<br />
SUN TZU ARTICULATED THE MERITS OF KNOWING BOTH ENEMY<br />
AND SELF. REGGIE BEST, CHIEF PRODUCT OFFICER AT LUMETA<br />
EXPLAINS WHY REAL-TIME NETWORK VISIBILITY IS THE FIRST STEP<br />
IN BOLSTERING NETWORK SECURITY AND BREACH DETECTION<br />
All organisations are faced with a<br />
growing and evolving cyber-threat<br />
landscape staffed by criminals,<br />
hacktivists and cyber-spies. Their complex and<br />
multi-vectored attacks are difficult to detect<br />
and mitigate.<br />
THE CHALLENGE<br />
IT infrastructure comprises an increasingly<br />
dynamic environment, including cloud, virtual,<br />
on premise, mobile and IoT devices. Many<br />
organisations are using public cloud<br />
infrastructure as a service (IasS) to augment<br />
their private data centre. Often there is a<br />
virtual private network connection between<br />
IaaS and the data centre making the IaaS<br />
cloud part of the enterprise network. There<br />
may be several public cloud instances, each<br />
managed by a departmental administrator.<br />
These resources have the ability to change<br />
network topology dynamically by simply<br />
running-up a virtual machine with a virtualised<br />
network function, switch, router, firewall,<br />
packet forwarder, etc. That function may only<br />
run for a few minutes or an hour, and only<br />
when that virtual machine is executed.<br />
This dynamic and growing attack surface<br />
creates a difficult and significant IT security<br />
challenge.<br />
YOUR DYNAMIC NETWORK IN<br />
REAL-TIME<br />
Real-time network visibility is the first essential<br />
step to strengthen network security defences.<br />
This should include an accurate inventory of<br />
authorised network infrastructure and the<br />
active IPv4 and IPv6 addresses in use. Visibility<br />
of when mobile, cloud and virtual endpoints<br />
connect and leave also makes your current<br />
and dynamic network edge visible.<br />
NETWORK SEGMENTATION<br />
Segmenting your network and critical<br />
information resources and then monitoring<br />
them in real-time, ensures the segmentation<br />
stays intact and can expose hunting for<br />
unauthorised routes between entities. It can<br />
also find unknown networks, non-responding<br />
networks, multi-homed hosts and split<br />
tunnelling. It should also provide visibility into<br />
external network connections and any<br />
unrestricted paths to your network from the<br />
Internet or to a vendor or supply chain partner.<br />
THREAT INTELLIGENCE<br />
Should attackers have already compromised<br />
security you still need to monitor the network in<br />
real-time for the tell-tale signs of nefarious<br />
activity including cyber-espionage, criminal<br />
activity and hacktivism. Threat intelligence<br />
feeds can keep up with the evolution of cyberthreat<br />
methods. They are made actionable by<br />
correlating the real-time network infrastructure<br />
and segmentation data against known threats,<br />
new threat intelligence and newly connected<br />
devices, to provide real-time cybersecurity<br />
breach detection.<br />
Threat intelligence feeds can hunt for zombie<br />
computers and communications on the<br />
network and analyse threat conversations<br />
(unauthorised communication flows) occurring<br />
between devices on the network (internal<br />
origination points) and known bad actor IP<br />
addresses. They can also identify the internal<br />
use of known Trojan or malware ports or<br />
outbound access to the dark web or<br />
command & control botnets, as well as<br />
malware using unauthorised ports for lateral<br />
network movement.<br />
Using threat intelligence to identify threats<br />
before they can establish a foothold reduces<br />
the likelihood and severity of these highimpact<br />
incidents which exposes intellectual<br />
property, financial assets and personal data.<br />
This helps to protect reputation and<br />
compliance.<br />
MAXIMISING EXISTING SECURITY<br />
INVESTMENTS<br />
Network security analysts traditionally rely on<br />
products such as host vulnerability assessment<br />
(HVA), network modelling (what-if) tools and<br />
endpoint detection and response (EDR) to gain<br />
insights into endpoints and network<br />
infrastructure. Without real-time visibility into<br />
the network, such tools will miss considerable<br />
activity and create unacceptable risk.<br />
Adding real-time network visibility feeds to<br />
these existing security investments and the<br />
enterprise security data lakes, maximises their<br />
effectiveness by ensuring that they work off of<br />
a complete index of network knowledge.<br />
Endpoint security needs to be proactive to<br />
disrupt advanced attacks and EDR software<br />
requires a client agent on every device. If an<br />
organisation has any undefended endpoints -<br />
blind spots - they remain vulnerable to cyberattacks.<br />
Real-time visibility of all devices<br />
connected to the network ensures that EDR<br />
software is aware of all endpoints and can<br />
provide protection. NC<br />
WWW.NETWORKCOMPUTING.CO.UK @NCMagAndAwards JANUARY/FEBRUARY 2017 NETWORKcomputing 9