Network security is a growing problem in the IT industry today and the very trends that have revolutionized users’ access to data are the same ones that are leaving networks vulnerable to attacks by cyber-criminals. Warns Dan Joe Barry, Vice-President at Napatech.
On August 15, 2012, Saudi Arabia’s national oil and gas company, Aramco, suffered a debilitating cyber-attack. More than 30,000 computers were rendered inoperable by the Shamoon virus. US Secretary of Defense Leon Panetta described this virus as the most destructive weapon ever used against the business sector. Network security is a growing problem in the IT industry today and the very trends that have revolutionised users’ access to data are the same ones that are leaving networks vulnerable to attacks by cyber-criminals. Three recent trends, that you will no doubt be aware of, have improved the efficiency and effectiveness of digital services: cloud computing, big data analysis and mobility. Cloud computing centralised data makes it accessible anytime, but unfortunately it also provides cyber-criminals with fewer, more valuable, targets. Big data analysis offers a sophisticated overview of complex information; however, such a wealth of sensitive information in a centralised location provides an irresistible target for cyber-criminals. Mobility allows convenience; it permits users to access data on the network with different devices, such as mobile phones and iPads, but this severely compromises security, as these devices do not have the same protections as the typical corporate laptop.
With increasing data availability, cyber-attacks are becoming more common every year. The cost of these attacks to business, though declining from 2010 to 2011, is still high. According to the Ponemon Institute and Symantec Research, the average cost of a security breach in the United States was $5.5 million in 2011. Cyber-criminals are becoming smarter, innovating new methods to penetrate defenses and often using several different kinds of attacks in combination. For example, a hacker can utilise a distributed denial of service (DDoS) attack as a diversion for introducing malware into a network. In the case of the attack in Saudi Arabia, cyber-terrorists utilized a virus in a spear phishing attack in an attempt to disrupt international oil and gas markets. There are many types of security appliances and solutions deployed in networks, each with its own specific focus. However, these solutions are rarely coordinated, which hackers exploit using a combination of attacks.
To successfully defend against this, some kind of coordination is required between the various security solutions so a complete overview can be provided. But, even this is not enough, as detecting zero-day threats, new attacks that have never been seen before, is very difficult. It is therefore necessary to also monitor how the network is behaving to make sure that no attacks have penetrated the security solutions in place. To do this successfully requires that all these solutions are capable of monitoring and reacting in real-time. Most networks already have monitoring appliances in place, such as a firewall, an Intrusion Detection or Prevention System (IDS/IPS) or Data Loss Prevention (DPL) application. Some products that consolidate these methods into one appliance include Universal Threat Management (UTM) and Next-Generation Firewalls. But single point solutions can only ever address a part of the problem.
Another solution to network security uses the concept of Security Information and Event Management (SIEM) which is based on the centralisation of information from both network and security appliances, to provide a holistic view of security. This is a real-time solution, constantly monitoring the network to detect any anomalies that might arise, and that means that both the network and security appliances need to be able to provide data on a real-time basis to ensure that anomalies are detected the moment they occur. This in turn means that each of the appliances must be capable of keeping up with growing data loads and speeds. One of the easiest ways of disrupting the security of the network is to overload the security and network monitoring appliances using a DDoS attack rendering the centralized SIEM system blind. This is a real threat if these appliances are not capable of operating at full throughput. By assuring that they can, you have just removed another potential attack vector. Cyber-attacks on the world economy and infrastructure are becoming commonplace. The adoption of cloud computing, big data analysis and mobility have improved efficiency, but unfortunately they have also exposed critical vulnerabilities in networks. By combining network and security information into a more holistic solution, attacks, such as the spear phishing assault on Aramco, can be deterred.
