Current Filter: >>>>>>

   

NETWORK FORENSICS
Intrusion prevention is an essential security component but following the detection of an intrusion, investigation and response are essential. It is here that network forensics comes into its own.

Despite this there is evidence that organisations regularly ignore security alerts. Larry Zulch CEO of Savvius explains that, "Any one of those alerts could become an intrusion that ultimately leads to a breach. Network forensics can determine whether an alert is a false positive which can safely be ignored, or a malware author cleverly avoiding getting tagged."

Forensic information, including the origin, destination and even the content of the packet that triggered the alert, plus the traffic leading up to that alert, can provide a security investigator with crucial insight leading to fewer breaches.

Network forensics is of course important in breach investigation and Zulch adds, "Packets don't lie. They won't achieve their destination without accurate addresses, and their payload, the malware, must work. But typically breaches are not detected until months later when network traffic is long gone." As you can see, the role of network forensics in IT security is a vital one that can reduce the likelihood of a breach and, if a breach does occur, its impact.

THE SECURITY AUTOMATION GAP
Security management has become a function and some think that it may have gotten out of hand. In a survey undertaken by AlgoSec - The State of Automation in Security - 48 per cent had an application outage because of a misconfigured security device, 42 per cent a network outage and 20 per cent a security breach. On average, these issues took up to three hours to fix, while 20 per cent needed a day or more.

Nimmy Reichenberg, VP of Strategy at AlgoSec suggests that, "Security teams have to take back control; keep the bad guys out while keeping applications running smoothly and securely, all day, every day. Skilled security staff spend precious time keeping the lights on, manually maintaining existing systems, sifting through countless security alerts and making device configuration changes, while often inadvertently causing outages and creating security holes."

Survey respondents (83 per cent) believe the use of automation in security needs to increase and most believe that automation will enhance an organisations security posture. That said, only 15 per cent felt that their security processes were highly automated, over half had some, but not enough automation, and a third had little to no automation.

Reichenberg adds, "With enterprise networks evolving, due in part to business transformation initiatives including cloud and SDN, cyber threats become more sophisticated and businesses are increasingly subject to demanding compliance standards. It's clear that automation of security processes is no longer a nice to have: it's a necessity to manage security at the speed of business."

EXPLODING ENTERPRISE ATTACK SURFACE
There is not much dissent around the assertion that the network boundary has gone, and while there are a number of security solutions to address this, what this actually means is perhaps less well considered. Essentially, the network is more dispersed and undefined and this means that the attack surface - exposure of sensitive applications and data - has expanded dramatically. For the attacker this is like manna from heaven, and it offers them significantly improved chances of success.

The enlarged attack surface arises from larger data sources - students, patients, law firms - devices such as smartphones, tablets and IoT. Then there is infrastructure - cloud, SD-WAN, and BYOD. These elements combine into a perfect storm of criminal opportunity, and enterprise IT has diminishing control.

Adam Boone, Chief Marketing Officer at Certes Networks picks up this point. "Two decades ago, IT security was organised around a firewalled perimeter. Users and networks inside were trusted and everything outside untrusted; a small attack surface with sensitive data firmly inside. Users could only access sensitive data from within the perimeter or by VPN."

According to Boone, "In the 1990s, enterprises transformed operations by digitising mission-critical information and sharing with users everywhere, creating new targets." One conclusion appears to be that IT security is no longer about managing devices and infrastructure. Instead, it must focus on users, applications and their interaction. Boone concludes that it is necessary to, "Shrink the attack surface by controlling which users can access which applications in all locations. Access control must focus on user roles and authorising users for only those applications needed for their job."

Page   1  2  3