A recent report discovered that in Q3 2016 alone, 18 million new malware samples were captured. That averages out to 200,00 each day. These numbers illustrate the fact that we live in a constant state of cyber-siege.
Many factors have converged to create greater complexity and threat opportunity in the network, undermining the effectiveness of security prevention solutions. Bring Your Own Device (BYOD) can act as a Trojan horse to gain access to the network, and employees or contractors can knowingly or unwittingly mishandle data in a way that results in a breach. Cloud computing also provides new opportunities for attackers, who are constantly looking for novel ways to breach the stronghold by exploiting vulnerabilities.
As if malware weren’t bad enough, now organizations must contend with the non-malware attack. In this scenario, no malware is downloaded to the user’s computer. Instead, a malware script is activated that exploits vulnerabilities in flash, web browsers and other existing tools on the computer. As many of the security prevention solutions installed are focused on preventing malware download, this attack nullifies the effectiveness of a large part of the security architecture.
The Missing Piece: Detection
In addition to the security prevention solutions already installed, a layer of advanced threat detection can be deployed based on user and network behavior analysis. These internal advanced threat solutions rely on continuous monitoring of network activity to first establish a profile of normal network behavior and then compare real-time activity to this profile to detect anomalous behavior. When used in conjunction with the information from other security solutions, it can provide the first indication that a breach has taken place.
The reason that advanced threat detection is so powerful against non-malware attacks is that it does not rely on detecting file downloads but on detecting activities that are out of the ordinary, giving the security team the basis for further investigation.
The way network behavior analysis works is by analyzing all network traffic in real time. This requires packet capture solutions that can deliver each and every packet for analysis without packet loss, even at speeds up to 100G.
The Benefit of Recording Traffic
When an executive gets the dreaded call that a breach has occurred, the immediate concern is to determine the extent of the breach and the company’s exposure. The C-level executive will expect the security team to be able to report exactly what happened, when it happened, and why it happened within a matter of hours.
Well, that’s not always possible. Security solutions are typically built to prevent and detect solutions in real time or at least near-real-time. The ability to reconstruct the anatomy of an attack in detail is often impossible, especially if the attack took place up to six months ago. There is, therefore, a strong case to be made for having the ability to record network traffic in a way that will allow the reconstruction of a breach even months after the fact.
The ability to record this traffic, also called packet capture-to-disk, allows every packet on the network to be recorded at speeds up to 100 Gbps, but can also provide multiple security analysis applications access to the same data. This allows deep-dive analysis of reliable network data on demand to support near-real-time forensic analysis or analysis of breaches several months in the past.
From Preventive to Adaptive Security
Gartner recently elaborated on the concept of an adaptive security architecture first proposed in 2014. In the analysis, Gartner concluded that there is an over-reliance on security prevention solutions, which are insufficient to protect against motivated, advanced attackers. The alternative proposed was an adaptive security architecture based on the following critical capabilities:
Prevention: to stop attacks
Detection: to discover attacks that have evaded preventive measures
Prediction: to learn from attacks and industry intelligence to improve capabilities and proactively predict potential new attacks
Retrospection: to react to attacks and perform forensic analysis
What undergirds the adaptive security architecture framework is the ability to perform continuous monitoring and analytics, including network monitoring and analysis.
What Adaptive Security Requires
As advanced threat detection solutions, packet capture capabilities, and next-generation SIEM solutions are combined, the infrastructure is now in place to support an adaptive security framework:
This combination of solutions can detect zero-day threats, prevent known attacks and detect anomalous behavior that can indicate breaches that have circumvented defenses. The alerts and information from each solution are correlated and condensed by solutions like security information and event management systems that will enable security teams to quickly focus their attention on the most important threats.
If the best intentions come up short and a breach is detected late, the ability to fully capture and record each packet allows the anatomy of an attack to be recreated, allowing a quick determination of the extent and impact of the breach, as well as the ability to learn from it and prevent such a breach from happening again.
These tools are available today to defend and secure the enterprise network. A comprehensive view is needed today to combat ever-evolving threats, and this kind of visibility is only possible when security prevention and detection solutions work together. Complete packet capture is a key element of this approach, enabling network data recording for near-real-time forensic analysis and post-breach analysis. This creates the adaptive approach to security that Gartner recommends.