The FBI estimated that cyber criminals grossed $1 billion last year from ransomware. They stand to gross considerably more as new ransomware variants emerge that enable the malware to spread more quickly and without any help from humans. The recent WannaCry ransomware attack, which unfolded across at least 99 countries—including the U.S.—was self-spreading and was the first ransomware worm to be seen in the wild. As companies pay to get their data back, this type of worm assuredly will not be the last.
Examples like this make it clear that the cyber war is real, and that no one is immune. Many recent factors have converged to create greater complexity and threat opportunity in the network, undermining the effectiveness of security prevention solutions. Bring Your Own Device (BYOD) can act as a Trojan horse to gain access to the network, and employees or contractors can knowingly or unwittingly mishandle data in a way that results in a breach. Cloud computing also provides new opportunities for attackers, who are constantly looking for novel ways to breach the wall by exploiting vulnerabilities.
One such exploit is a non-malware attack. In this case, no malware is downloaded to the user’s computer. Instead, a malware script is activated that exploits vulnerabilities in flash, web browsers and other existing tools on the computer. As many of the security prevention solutions installed are focused on preventing malware downloads, this attack nullifies the effectiveness of a large part of the security architecture.
Prevention Plus Detection
Clearly, organizations need new approaches to keep their data safe. To complement security prevention solutions, an additional layer of advanced threat detection can be deployed based on user and network behavior analysis. These internal advanced threat solutions rely on continuous monitoring of network activity to first establish a profile of normal network behavior and then compare real-time activity to this profile to detect anomalous behavior. When used in conjunction with the information from other security solutions, it can provide the first indication that a breach has taken place.
"The adaptive security architecture framework has as its foundation the ability to perform continuous monitoring and analytics, including network monitoring and analysis"
Because this approach does not rely on detecting file downloads, but on detecting activities that are out of the ordinary, it is particularly effective in combating non-malware attacks by giving the security team the basis for further investigation.
To be able to analyze network behavior, a detection solution must have the opportunity to analyze all network traffic in real time. This requires packet capture solutions that can deliver each and every packet for analysis without packet loss, even at speeds up to 100G.
Making Deep-Dive Analysis Possible
When a data breach is discovered, the immediate concern is to determine the extent of the breach and the company’s exposure. The C-level executive will expect the security team to be able to report exactly what happened, when it happened and why it happened within a matter of hours.
However, that’s not how most security solutions are constructed today; they are designed to prevent and detect threats in real time or at least near-real time. The ability to reconstruct the anatomy of an attack in detail is often impossible, especially if the attack took place up to six months ago. There is therefore a strong case to be made for establishing the capability to record network traffic in a way that will allow the reconstruction of a breach even months after the fact.
The ability to record network activity, or capture packets to disk, allows every packet on the network to be recorded at speeds up to 100 Gbps but can also provide multiple security analysis applications access to the same data. This allows deep-dive analysis of reliable network data on demand to support near-real-time forensic analysis or analysis of breaches several months in the past.
Making the Shift
Gartner expanded on the concept of an adaptive security architecture first proposed in 2014 in Designing an Adaptive Security Architecture for Protection from Advanced Attacks. In the analysis, Gartner concluded that there is an over-reliance on security prevention solutions, which are insufficient to protect against motivated, advanced attackers. The alternative proposed was an adaptive security architecture based on the following critical capabilities:
• Prevent-to halt attacks
• Detect-to discover attacks that preventive capabilities missed
• Predict-to learn from attacks and industry intelligence to improve abilities and foresee potential new attacks
• Retrospective-to respond to attacks and conduct forensic analysis
The adaptive security architecture framework has as its foundation the ability to perform continuous monitoring and analytics, including network monitoring and analysis.
An Adaptive Security Reality
When packet capture capabilities, next-generation SIEM solutions and advanced threat detection solutions are in place, we now have in place the infrastructure to support an adaptive security framework:
This comprehensive infrastructure makes it possible to prevent known attacks, detect zero-day threats and detect anomalous behavior that can indicate breaches that have circumvented defenses. The alerts and information from each solution are correlated and condensed by solutions like security information and event management systems that will enable security teams to quickly focus their attention on the most important threats.
If, despite all efforts, a breach is discovered well after the fact, the ability to fully capture and record each packet allows the anatomy of an attack to be recreated, allowing a quick determination of the extent and impact of the breach, as well as the ability to learn and to prevent such a breach from happening again.
Complete network visibility is the goal in today’s threat-heavy environment. The solutions and the technologies to implement this level of visibility are available today but must be deployed together, creating both security prevention and detection. Near-real-time forensic analysis and post-breach analysis require the ability to record network data, which helps provide the holistic view that helps make adaptive security a reality.