Thursday, October 4, 2012

Using network usage patterns to draw security & forensics intelligence


Cyber security, forensics and intelligence is a complex issue and most tools are as effective (or limited) as the policies of the tools. Worse Cyber-attacks are getting complex by the minute and today no single tool can prevent attacks. The complexity of attacks is becoming so complex that the tool you deploy today is outdated.

If complexity is one angle, then there is the BYOD angle and it is getting tougher to see where the attack is now coming from – is it outside or from inside via BYOD security hole? Where do you fence now? Outside or inside out? MDM agents on BYOD is not practical in today’s world (a report suggested 84% rejection rate including uprising in a US based firm for installing MDM agents on their devices).

Yes we need to put these standard tools but assuming that they are enough is very naive  (Even BoA was not spared last week). This is where “intelligence” comes into picture with the underlying philosophy of “prevention is better than cure” and be it home land security or cyber security, intelligence prevents most of the attacks and it gets nullified even before it gets to an attack level and gathering this “intelligence” requires lot of data and more so, graphing that data in an intelligent insightful way so that it shows patterns and brings that intelligence into fore.

Security needs to be re-looked and “intelligence” needs to be given prime importance. This is where we differ on how we collect intelligence and this is where we suggest – “listen to your network “ and do that 24X7 - it says and reveals much more than just some URL traffic – it throws the patterns. Recognize those patterns; you will see intelligence especially when the data is displayed in comparison to other relevant data and parameters. When you see historical data in a way it is charted and when you compare this with the live real-time traffic, things start to emerge and provides very crucial information be it agent-less discovery of all your BYOD devices running in the network, the apps on them with the security threat level diagnosed, the pattern of traffic on them, the geo distribution of traffic, the traffic volume and pattern from/to blacklisted IPs, clear and complete URL categorization along with the integration of Snort to chart and detect IDS including trigger setting alerts on any of the interested parameters, and doing all these while sitting passive in the network but charting / retrieving / storing at an amazing speed due to map-reduce database which helps to give all results in real time. Provide the deep-drill cross-drill analysis of data to help create complex reports that can be viewed online and in real-time again to draw powerful insights.

Now coming to forensics – the same rule applies. It is tough to make your network 100% fool proof. Every day hundreds if not thousand organizations network gets compromised. It is just that everyone will not come public and all does not get the PR. Such compromises happening is one thing but having powerful robust forensics tool is another thing. This is where again what we say and I repeat – listen to your network 24X7 – you will see patterns, understand the patterns and you will discover why the compromise happened and how and from where and you learn and apply policies and tools in such a way a similar attack will not happen and such similar attacks can all be eliminated.

Yes it requires a complete holistic approach of solving the security issues and to provide a robust power forensics capability and that comes from what we believe in “listen to your network” now, yesterday and tomorrow – 24X7.

Manjunath M Gowda
CEO, i7 Networks – “listen to your network”
Author is the CEO of i7 Networks which works on next generation analytics and intelligence related to bandwidth, security and BYOD.

No comments:

Post a Comment