Fast Security Response Requires Traffic Visibility
by Michael Patterson
The Internet has brought the world together in both good and bad ways. Today, remote employees can live anywhere and get their job done. Cyber criminals are no different. Not only can they live in a different country, but they can also stay anonymous and prevent legal authorities from figuring out from where the attack originated. Think the attack came from China? Maybe that computer was hacked from a server in Russia that was hacked by a person sitting in a country in Africa.
The amount of money to be made in cybercrime is attractive to smart people who may desperately need work. This is part of the reason why cybercrime is expected to cost the world more than $6 trillion by 2021, up from $3 trillion in 2015 according to Steve Morgan, CEO – Cybersecurity Ventures.
We Are On Our Own
We don’t have cybersecurity police that we can call. In most cases, the folks at 911 can’t help us when we’ve been attacked. We are on our own. This is why CSOs need a system in place that aids their ability and responsibility to react fast. To do this, they need to have up-to-date data which will improve their situational awareness.
Improve Situational Awareness
How many hosts are on your network? Are they classified; in other words, can you click on them and identify what the device is and why it is on the network? Few companies can do this without spending several minutes researching the IP address, MAC address, locations, etc. When investigating the traffic patterns behind any one of dozens of suspicious events that occur during the day, this process shouldn’t take more than a few seconds with one or two clicks in a web browser.
Packet Capture is Good, but…
Packet capture is great for gaining access to all the details unless they are encrypted, which most attacks are. Other dilemmas for packet capture include:
- Proximity to the event: In medium to large companies, we can’t deploy enough probes to collect what we want – everywhere we need to.
- History: In some enterprise environments, packet captures can consume terabytes of data in just a few minutes. This means we often don’t have the luxury of storing days of data to pore through, every time we need to investigate an event.
Meta Data to the Rescue
What we need is metadata, i.e. a summary of the connections that occur on the network. Consider a corporate phone bill, for example. We can view when a call took place, who made the call, the destination phone number, and the duration. We don’t have all the conversation details, but we often don’t need to in order to investigate the event and mitigate the infection. This is the problem that NetFlow and IPFIX “flow data” solved for packet capture. Flows include details on the network traffic, but are not limited to:
- The source and destination IP addresses
- The source and destination port numbers
- The source and destination autonomous system numbers
- The source and destination MAC addresses
- Other details such as the protocol, DSCP value, TCP flags, etc.
- Several metrics such as total bytes, packets, round trip Time, packet loss, retransmits, etc.
By summarizing packets into the metadata above, a single connection between two hosts involving hundreds of thousands of packets becomes one flow. If you consider that a router can export dozens of flows in a single datagram, you begin to understand the economies of scale. Flow data consumes much less disk space which means that months or even years of storage becomes possible. Because every router can export NetFlow or IPFIX, we can gain visibility into nearly all corners of the network. Essentially, we gain awareness everywhere we need it, and we don’t have to deploy probes.
Speed: React Fast
When a security appliance reports a suspect IP address, it can be searched for in the Flow collection system. The details surrounding the host can be displayed in seconds, and good reporting can expose all of the traffic details surrounding the incident.
If we link the flow collection system to the authentication server (e.g. Cisco ISE, Microsoft AD), it can display the username that authenticated the device onto the network. Since we have the MAC address, we can display the vendor that manufactured it. If internal IP addresses are placed into logical groups, we can identify the department and location. Even more details can be obtained, if we integrate with the IPAM system.
Network Behavior Analysis
If you pair flow data with the right behavior analysis system, flow data can be used to uncover suspicious traffic patterns that allow security teams to identify malware as well as low and slow data leaks.
A children’s hospital in the northeast identified an end system infected with malware that threatened the exposure of medical records. The detection was performed using NetFlow.
Flow Data is a Security Necessity
The threat landscape is growing, and the attackers are well paid and incentivized to compromise and steal from your on-line systems. In a recent survey of 583 U.S companies conducted by Ponemon Research on behalf of Juniper Networks, 90% of the respondents said their organization’s computers had been breached at least once by hackers over the past 12 months. Nearly 60% reported two or more breaches over the past year. More than 50% said they had little confidence of being able to stave off further attacks over the next 12 months.
With enterprise-wide visibility and the right flow analytics system, cyber response teams can uncover malicious activities such as data hoarding, low and slow leakage, and DDoS attacks. Once uncovered, flow data can be used to find the host and even expose the lateral movements of attackers within the organization.