Why Adaptive Security is Critical Today, and How to Achieve It

By Dan Joe Barry, VP Positioning and Chief Evangelist at Napatech

In 2004, the global cybersecurity market was worth $3.5 billion – and in 2017 Cybersecurity Ventures expects it to be worth more than $120 billion. In other words, the cybersecurity market grew roughly 35-fold in 13 years. This huge increase in spending is being fueled by the dozens of zero-day threats, millions of new malware variants and other attack types that organizations both large and small face each year.

A convergence of technology trends has resulted in greater complexity and threat opportunity in the network, undermining the effectiveness of security prevention solutions. BYOD can act as a Trojan horse to gain access to the network, and employees or contractors can knowingly or unwittingly mishandle data in a way that results in a breach. Cloud computing also provides new opportunities for attackers, who are constantly looking for novel ways to breach the wall by exploiting vulnerabilities.

Another technology trends is the non-malware attack. With this type of attack, no malware is downloaded to the user’s computer. Instead, a malware script is activated that exploits vulnerabilities in flash, web browsers and other existing tools on the computer. As many of the security prevention solutions installed are focused on preventing malware download, this attack nullifies the effectiveness of a large part of the security architecture.

Focus on Detection

Based on user and network behavior analysis, an additional layer of advanced threat detection can be deployed to complement these security prevention solutions. These internal advanced threat solutions rely on continuous monitoring of network activity to first establish a profile of normal network behavior and then compare real-time activity to this profile to detect anomalous behavior. When used in conjunction with the information from other security solutions, it can provide the first indication that a breach has taken place.

Advanced threat detection is so successful at defeating non-malware attacks because it does not rely on detecting file downloads but on detecting activities that are out-of-the-ordinary, giving the security team the basis for further investigation.

The linchpin ability that enables network behavior analysis is analysis of all network traffic in real time. This requires packet capture solutions that can deliver each and every packet for analysis without packet loss, even at speeds up to 100G.

The Role of Recording

Every C-level executive dreads getting the call that a breach has occurred, and the immediate concern is to determine the extent of the breach and the company’s exposure. The C-level executive will expect his security team to be able to report exactly what happened, when it happened and why it happened within a matter of hours.

That’s rarely possible, however, because most security solutions today are built to prevent and detect solutions in real time or at least near-real time. The ability to reconstruct the anatomy of an attack in detail is often impossible, especially if the attack took place up to six months ago. There is therefore a strong case to be made for establishing the capability to record network traffic in a way that will allow the reconstruction of a breach even months after the fact.

Where does this capability come from? A packet capture-to-disk or network recording capability allows every packet on the network to be recorded at speeds up to 100 Gbps but can also provide multiple security analysis applications access to the same data. This allows deep-dive analysis of reliable network data on demand to support near-real-time forensic analysis or analysis of breaches several months in the past.

Prevention vs. Adaptation

In a report by Gartner, the analyst firm concluded that there is an over-reliance on security prevention solutions, which are insufficient to protect against motivated, advanced attackers. The alternative proposed was an adaptive security architecture based on the following critical capabilities:

– to stop attacks – preventive
– to find attacks that have evaded preventive capabilities – detective
– to react to attacks and perform forensic analysis – retrospective
– to learn from attacks and industry intelligence to improve capabilities and proactively predict potential new attacks – predictive

What makes the adaptive security architecture work is the ability to perform continuous monitoring and analytics, including network monitoring and analysis.

Adapt or Perish

When packet capture capabilities, advanced threat detection solutions and next-generation SIEM solutions join forces, we now have in place the infrastructure to support an adaptive security framework:

This framework is aptly named, as it can prevent known attacks, detect zero-day threats and detect anomalous behavior that can indicate breaches that have circumvented defenses. The alerts and information from each solution are correlated and condensed by solutions like SIEM systems that will enable security teams to quickly focus their attention on the most important threats.

If an attacker does manage to circumvent cybersecurity systems and a breach is detected late, the ability to fully capture and record each packet allows the anatomy of an attack to be recreated, allowing a quick determination of the extent and impact of the breach, as well as the ability to learn and prevent such a breach from happening again.

As the cybersecurity market grows to $120 billion, organizations need to think strategically about where to put their money. Prevention solutions alone are insufficient’ they must be paired with detection solutions to provide IT security teams with complete visibility into the network. Essential capabilities include recording network data for near-real-time forensic analysis and post-breach analysis, as well as next-generation SIEM. When security is adaptive, it can both prevent and detect threats, and analyze them if they are able to pierce network defenses. It’s a framework that helps organizations address present and past concerns, which sets them up for a more secure future.

About the Author:

Daniel Joseph Barry is VP Positioning and Chief Evangelist at Napatech and has over 20 years’ experience in the IT and Telecom industry. Prior to joining Napatech in 2009, Dan Joe was Marketing Director at TPACK, a leading supplier of transport chip solutions to the Telecom sector.  From 2001 to 2005, he was Director of Sales and Business Development at optical component vendor NKT Integration (now Ignis Photonyx) following various positions in product development, business development and product management at Ericsson. Dan Joe joined Ericsson in 1995 from a position in the R&D department of Jutland Telecom (now TDC). He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.