Look to the Network (for Security Innovation)


I get awfully tired of proclamations like “Firewalls are Dead” or “IDS is Dead,” as if any generation of technology is so hopelessly gone that it went useful to useless in a perfect, quantum leap change of state.  As if anything in the world is purely binary.  TS Elliot had it right, the end of anything usually happens with a whimper and not a bang; and the same is true of security technologies.  If anyone tells you that the perimeter is “dead” or that fill-in-the-blank security technology (AV, SIEM, FW, IDS, MFA, etc., etc.), then hold on to your wallets.  Because the kit that we use and the tools that we use and have deployed very widely continue to have utility and use long after their hype has peaked and receded.

It’s probably the mark of all technologies that they go through what Gartner would call a “hype” cycle before finding their optimal, snug home of utility.  And all of the technologies I’ve mentioned still exist, still have a role to play and many yet to come will likewise get launched, sail proud and eventually find a snug berth in some IT dock somewhere.  It’s arguable that a technology is only really mature when it goes through those phases and finds it’s sweet spot, but that’s a tangent from the real point of this blog: now is the time for the Network to re-assert it’s validity and to provide new options for changing the security game.

It’s arguable that IDS was at the forefront once of the network game, but it hit a wall that had two unfortunate consequences.  First, the noise-to-signal ratio became unmanageable and, inadvertently, created what became (through several painful phases) the SIEM industry.  Second, IDS tried to pull itself up by the bootstraps and evolve into IPS, which was a worthwhile direction and endeavor but ran into a problem of trying to increase fidelity at the same time as increase the ability to take action.  In a perfect storm, a series of bad corporate moves and acquisitions set IPS back, and it has been largely overlooked (and sometime snickered at) industry ever since.

This has lead to the current straits where the “network” (and I don’t mean perimeter to those thinking sandbox, firewall, next generation firewall, UTM and / or WAF here) is underserved.  If you look at the extensive categories around so called “Advanced Threat” technologies, network-based options are underserved.  This is a technology that won’t be as insecure as many will claim, but it has the most immediate and effective ability to change the Human-to-Human race happening between security departments and attackers.

Why is it so effective?  The most obvious answer is that network technologies can see the traffic.  That sounds obvious, but it means that all communications, all theft, all lateral movement is immediately and clearly visible to the network.  The only things it can’t see are attacks that come in physically, interact with an endpoint and leave physically without touching the network stack.

Done correctly, network-based recording and selective retention (and metadata) can let you retroactively look for things when signatures later become available — we call that “looping,” although I have heard of others calling that “retrospective analysis.”  Unlike endpoints, which are the site of controls, recording and compromise, the network isn’t in the critical compromise path in the majority of attacks, which makes it an out-of-band collection mechanism for post-event forensics, for back-tracking and tracing and for looking at “in the wild events.”

Network interception also sees the broadest swath of systems (which are the ultimate targets) of any interception point for east-west traffic, as opposed to purely north-south as at a perimeter.  If you want to collect and collate data, looking for patterns, applying machine learning or even doing white/black list signature checking, it’s far more efficient to do it from the network than from elsewhere.  Further, when the network requires updates and signatures, it represents only one point or a series of few points to update that can see everything instead of the interminable race and election/distribution algorithms to update individual and groups of machines that are very different in their operating environments, behaviors, availability and distribution.

Finally, the network presents a set of options to take action: you can use the network to interrupt command and control, to interrupt bots and tools, to segment, to isolate with the least impact to affected systems.  You aren’t in the kernel and the guts of endpoint systems and can instead quarantine them or monitor them with little risk of detection from endpoint-resident malware because the platform under attack isn’t also the probe.

Is the firewall dead?  No.  Is antivirus dead?  No.  Is IDS, IPS dead?  No.  Is SIEM dead?  No.  Not at all. But are they the best place to get an advantage for your people in winning the race against bad guys?  Also No.

The truth is that the network is the best place to deploy technologies to get a leg up.  The networks time has come and our IT environments need it.

There are challenges on the horizon, including increasing use of encryption (for which there are answers) and the adoption of technologies in virtual environments, clouds and the use of mobile and even IOT devices (for which there are also answers).  But the network is the place that is underserved today and provides the most meaningful complement to existing tools, teams and processes for getting results.

In the past 4 blogs, we’ve established that mature companies and those companies that aspire to mature try to get a leg up in the Human-to-Human race.  This means accepting that Infrastructure compromise is inevitable, painful as it is; and traditional tools can help minimize this; but Information compromise is “evitable” or avoidable.  To do this means freeing up spend from less effective tools (not eliminating them) and inverting the spending pyramid.  And it means investing in new, advanced tools and techniques, especially around network security, to win the race more often and more effectively.

The time for the next phase of network advanced threat technology is now!

Continue Reading

The Power of High Fidelity Detection

A few weeks ago, I was visiting family in Bogota, Colombia. Bogota is the capital city of Colombia and it is located in the heart of the Andes Mountains in the northern part of South America. It is a very large city that somewhat resembles New York and is a cool place to visit. It […]

Continue Reading

You can’t get there from here

In the last few blogs, we looked at how Infrastructure breach is inevitable, but information breach isn’t; and we talked about the key to avoiding information breach was very people-centric.  Most recently, we discussed the importance of logistics and supporting people with the right infrastructure and investment.  This raises a bigger question of “how do […]

Continue Reading

V is for Virtualization: Its growth and influence today

Two recent IT innovations – cloud computing and virtualization – are slowly but inexorably reshaping service provider and enterprise networking and business models. One measure of this growing influence: nearly half of the 287 network operator respondents to Arbor’s 2014 Worldwide Infrastructure Security report offer a wide range of cloud and hosting services. These large network […]

Continue Reading

Logistics, Logistics, Logistics

As the saying goes, “amateurs talk tactics, armchair generals talk strategy but professionals talk logistics.” This could have been written for Security as a discipline.  We may love the tactics, and we may get stuck in strategic conversations; but the truly successful security professionals understand the logistics of the security business.  The temptation when approaching […]

Continue Reading

Threat Never Takes A Vacation – Are We There Yet?

How many of you have participated in a long-drive vacation? Depending on the size of the family brood, this usually consists of a loaded vehicle, invisible national borders formed in the back seat between each child, with a demilitarized zone allowing one of the front seat drivers just enough time to prevent World War III. […]

Continue Reading

Will the real Advanced Threat technology please stand up?

In my previous blog post, I concluded that infrastructure breach was inevitable due to a fundamentally intelligent, Human opponent; and that the real mission for security until such time as we create true artificial intelligence is to prevent information breaches.  The goal as I summarized it was not to create another generation of technology that got trapped in the […]

Continue Reading

Threat Never Takes A Vacation, Part II: Summer Camp

Summer Camp! These words send chills down your spine, provide fond memories of your childhood, or offer relief from parents who are about to have an empty house for a couple of weeks. For children, summer camp is a way to bond with other kids over outdoor activities. For parents, it is a way to […]

Continue Reading