Posted by: Guest Author
Guest Post, Networking in 2010
Today’s guest post is from Pete Schlampp, vice president of marketing and product management at Solera Networks.
The Identity Theft Resource Center (ITRC), the organization that tracks data breaches, reports 211 data breaches so far in 2010, and 26 of these involve financial services companies. According to ITRC, many incidents actually occurred in 2009 but are just now being brought to light. Waiting weeks and months or longer to discover network breaches hardly seems acceptable. Even worse, the majority of these breaches involve an unknown number of records exposed. Why? Because there is no way to “replay the tape” and see exactly what was stolen or touched. Existing tools only record metadata and signature matches. Without good situational awareness we’re dealing with the equivalent of digital hearsay.
Demands for better situational awareness-knowing and seeing what’s happening inside the network-has led to new technologies and the commercialization of tools that increase the resolution of what can be seen and known by security engineers. Technically, the ability to record network traffic and carve it into perceptible chunks has been around for years. Ask a network troubleshooter about tcpdump and wireshark and they’ll gush like a carpenter over his favorite hammer. Network Forensics companies have taken these technologies and created more robust, accessible, and maintainable tools. At the same time, costs to store and process one hour of GigE network traffic has dropped from tens of thousands of dollars to hundreds in the past five years. The Network Forensics space is rapidly evolving and highly differentiated. Performance, scalability, and the analytical applications available can vary widely.
A recent survey indicates that many network security professionals don’t yet understand the need for Network Forensics and what it can do for them to provide situational awareness. Using security tools based on signatures developed to block known security threats or those based on a collection of metadata spewed off of “dumb” network devices, security engineers aren’t equipped to know even simple details like who is on the network; what applications are being used; and what content is being transferred. This lack of perception forces enterprises and government organizations into reacting to security threats instead of proactively policing their networks and stopping threats before damage can occur. Improved situational awareness can lead to better security and higher resiliency against the backdrop of increasingly advanced and persistent threats. As security engineers become enlightened through situational awareness, they know and see exactly what’s happening on the network and can control it.
Wikipedia defines situational awareness, or SA as “the perception of environmental elements within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future.” In the world of physical security, we think of SA as seeing, hearing, and otherwise sensing the world around us. Major advancements in SA came about with the advent of CCTV and the ability to remotely “see” what was happening, both live and in the past. On the network we’re not responding to incidents in real time because we’re neither able to see them nor have we been able to go back in time and replay events to understand the current situation better.
Without situational awareness, IT security teams respond to incidents in the same way a fire department responds to fires – a bystander calls up to report the problem. By far, the most typical way for an incident on the network to be discovered is by a third party or employee notifying IT that something strange has happened: for instance intellectual property has been found outside the network, a server is running slowly, or a bad actor is bragging about their success. The 2009 Verizon Business Data Breach Investigations Report finds that over 80% of network breaches are discovered either by third parties or by employees going about their regular work activities – not by our existing automated security devices. Because of this, incidents are discovered late, lack data and detail, and lead to higher costs to organizations, industries and individuals.
Network security teams that make the shift to improved situational awareness are empowered with the insight that true security comprises. Stop reacting to security issues and start seeing the problems and knowing what to do about them before an incident can become a network security issue. New tools, particularly network forensics appliances from companies like Solera Networks and our competitors, can reduce the occurrence of network breaches, augment understanding of network alerts and incidents, and enable security teams to recognize exactly what data may have been compromised, so they can proceed consciously and confidently to provide better security.