Page 20 - CDM Cyber Warnings February 2014
P. 20
a challenge for incident responders, who have the tough network is to leverage existing infrastructure. Vast amounts
job of reconstructing what happened once a system has of security insight can be obtained by collecting and
been breached and the logs have been corrupted. However, analyzing NetFlow, IPFIX, sFlow and other types of flow
by combining perimeter security technologies with internal data from routers, switches, firewalls and other flow-
network visibility and audit trails of network activity, enabled devices already deployed within the network. Like
organizations can more effectively identify, investigate, halt a call record, flow data can show who is talking to whom
and prevent advanced attacks including insider threats and within a network, for how long, using which devices, and
APTs. so on.
Looking Beyond Technology While perimeter security systems only monitor traffic
It is also crucial to recognize the importance of human moving between the network and the Internet, flow-based
incident responders in combating advanced security monitoring can reach deep into the network, providing
threats. No security solution is going to automatically visibility into transactions happening between end points.
detect and block APTs and insider threats while the IT staff This data can be critical for piecing together an attacker�s
is asleep. While enforcement mechanisms are critical to a moves through the network, providing insight that cannot
healthy network, they cannot replace the need for a vigilant, be obtained through forensic analysis of compromised
skilled set of eyes watching for emerging and targeted machines.
threats. Trained personnel equipped with comprehensive
network intelligence are the only defense against a growing Flow-based monitoring can also be used to baseline normal
world of advanced adversaries. network behavior and identify when a host is doing
something it shouldn� t be – whether it be logging in from
The best solutions harness the strengths of both automated an unfamiliar location, beaconing, communicating with a
and human analysis – helping professional incident questionable external IP address, sending out unusually
responders monitor their systems and networks and comb high amounts of traffic, and the list goes on.
through the masses of information there to find the subtle
indicators that sophisticated attacks leave behind. Next- Continuously Analyzing Threat Intelligence
generation network visibility technologies can help in this When you are living with an advanced threat, you are
regard by turning the network into an always-on sensor playing a nonstop game of cat and mouse on your
grid for detecting suspicious behavior. computer network. The need to collect and analyze
intelligence isn�t a one-time requirement that occurs as the
result of a single incident. It needs to be an ongoing part of
an organization�s defensive operation. The intelligence
uncovered by incident responders can be fed back into
threat detection systems to catch future attacks earlier in
their lifecycle. Tools such as flow-based monitoring can
be a key enabler.
About the Author
Tom Cross is Director of Security Research at Lancope, where he works on
advancing the state of the art in network behavior anomaly detection. He has
over a decade of experience as a computer security researcher and thought
leader. He is credited with discovering a number of critical security vulnera-
Leveraging NetFlow bilities in enterprise-class software and has published papers on collateral
damage in cyber conflict, vulnerability disclosure ethics, security issues in
The most comprehensive and cost-effective means of
Internet routers, encrypting open wireless networks, and protecting Wikipe-
obtaining visibility and protection across the internal dia from vandalism. Tom can be reached at [email protected] or through
the Lancope web site: http://www.lancope.com/.
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 20
