Here’s a quick summary of my webcast yesterday on next-generation network security.
There’s a lot of hype about the changing threat landscape and challenges to traditional security strategies. The reality is that we need both familiar and new tools as we evolve the conversation from point-based solutions, which typically protect one stage in an attack sequence, to integrated, connected solutions – the best way to protect against next-generation attacks.
Some hard truths about security today:
- Borderless networks are more susceptible. Data in transit is data exposed; losing physical boundaries has serious security implications. Everything is connected, therefore potentially vulnerable to takeover. Concentration of data in warehouses promises a possible bigger payoff from a single hack.
- Attacks are growing more sophisticated. Remote procedure calls and SQL injections are increasing. Hackers are getting smarter about evading traditional defenses.
- The stakes are getting higher. We’ve just seen a massive electric failure in India which, due to malicious action or not, illustrated the potential fallout from a system attack. Loss of electric grids or phone or transit networks can have massive impact on a country’s security.
- IT is growing more complex. By 2015 Cisco predicts we’ll have 15 billion mobile devices in use. Each is a potential target. But we aren’t growing the ranks of network or security administrators at nearly the same pace, so security tools have to get smarter.
In the face of all this complexity, firewalls are a powerful but not total solution. Firewalls place an emphasis on enforcing policy and limiting and controlling access. They’re more effective at deterring broad-scale attacks than smaller, targeted ones. Security is an ongoing battle that can’t be won with a single weapon; you need a concert of weapons and individuals. The best approach is a framework that facilitates a connected approach to security.
We haven’t always referred to it this way, but McAfee has had a “next-generation” IPS (intrusion protection system) in place for some time. It combines traditional IPS with more advanced elements like behavior analysis, application awareness, and network visibility.
More and more, the threat prevention paying field is going to focus on anomaly detection heuristics – behavior analysis – in addition to the traditional safeguards.
With a platform approach that spans an entire network, using the same tools throughout the infrastructure and coordinating threat response, we now have heightened “context awareness” that highlights anomalies. We can tell when a machine starts behaving in unexpected ways – when a computer known to be someone’s personal device starts acting like a mail server, for example. We can tell when a user’s browsing or protocol behavior changes.
As for content awareness, nearly all security vendors still use signature detection as a baseline defense – it’s not true that those strategies are “dead,” as some claim – but we increasingly use reputation data, measuring a current file or IP address against past data, and file anomaly detection. (If a PDF seems to be running an executable, for example, it begs for attention.) Botnet detection is as big an issue as ever; we can look a dozens of heuristics to identify a bot on the network. When a system reaches out to many IP addresses in rapid-fire fashion, for example, that profile says “bot” very quickly.
It adds up to more accurate, timely threat detection; these additions improve security defenses by up to 30 percent compared to signature defense alone.
Beyond heuristic analysis, the next big value-add is generation and analysis of an enterprise-wide data layer with the help of external intelligence. Part of McAfee’s Security Connected framework is McAfee Event Reporter, a log management tool that collects and correlates millions of events from across the organization. A correlation engine analyzes them against reputation data from the cloud, isolates threatening trends, and even identifies particular events based on historical data. This turns a simple log manager or event manager into a security solution and generates a global, company-wide view of your risk posture. It doesn’t even require an all-McAfee technology landscape across the organization; the big idea here is to strive for a connected approach.
To get on the road to a true connected security posture, I think you need a construct that lets you leverage “next-generation” benefits like these without forgetting about traditional safeguards. You may have a stack of individually effective one-off security solutions, but the changing threat landscape and the available streamlining potential say it’s time to combine them into a single, connected approach. In a world of more genuine threats and mushrooming network complexity, it’s the best way to stay ahead.