Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Bringing Cybersecurity to the Data Center

Data Center Racks

Data Center Racks

Data centers are the heart of many enterprises, providing scalable, reliable access to the information and applications that define the organization. As these data centers have become more valuable, so too has the job of securing and monitoring them. However, data centers come with their own unique requirements, challenges, and threats. 

Yet, in many ways, data center and virtualized security has been built in the image of the traditional campus network security. The problem is that the data center is not the perimeter. While porting over the models from the perimeter may feel familiar and safe, it can lead to dangerous gaps in security. 

Moving Beyond Segmentation to Cyber

Using the network perimeter as its model, the industry has sought to virtualize perimeter controls and move them into the data center. This approach began with the bedrock of perimeter security, the firewall. Initially this included simply porting traditional firewalls to run as virtual machines, and then progressed into more agent-based segmentation models that were closely integrated with the virtualization platform software itself. In both cases, the focus remained on enforcing policy within the data center. 

However, creating and enforcing rules is not the same thing as catching an intruder. On the perimeter, firewalling functions are complemented with a variety of threat detection and prevention technologies such as IDS/IPS, anti-malware solutions and web filtering, just to name a few. And like their firewall brethren, many of these perimeter threat-prevention technologies have been ported over to the virtual environment. 

Advanced Attacks and Mature Attacks

The problem is that data centers are not simply perimeter 2.0. A data center will often encounter an attacker at a far more mature phase of attack than the perimeter will, and likewise, will experience different types of threats and attack techniques. 

Specifically, perimeter threat prevention technologies tend to be heavily focused on detecting an initial compromise or infection (e.g. exploits and malware). The problem is that attackers will often only move against the data center after they have successfully compromised the perimeter. 

Advertisement. Scroll to continue reading.

The attacker may have compromised multiple devices, stolen user credentials or even administrator credentials. Instead of exploits or malware, attackers are far more likely to search for clever ways to use their newly-gained position of trust to access or damage data center assets. This means that a data center will often encounter attacks in a more mature phase of attack that may lack obvious indicators of malware or exploits.

Getting Behavioral

This is prime example where behavioral threat detection models should come into play. More than simply looking for strange or abnormal user behavior, we also must recognize the fundamental behavior of the attack tools and techniques in the hacker’s arsenal. 

Compromising administrator accounts, implanting backdoors, setting up hidden tunnels and RATs are all standard operating procedure for an ongoing persistent attack. All of these techniques have telltale behaviors that can make them standout from the normal traffic in your network, provided that you know how to look for it. In some ways you can think of it as a evolution of threat detection that focuses on recognizing malicious verbs instead of malicious nouns. Instead of looking for a specific malicious payload, you can look for what all payloads do.  

Preempt the Silos

Next we must remember that attackers do not conform to our boundaries, and that attacks will often span both the campus side of a network as well as the data center. It is crucial that security teams retain full context of an attack even when it spans both environments. 

For example hidden command-and-control traffic, network reconnaissance, lateral movement, the compromise of user and admin credentials can all precede an intrusion into the data center. Each of these phases represents an opportunity to detect an attack and it is important for security teams to see as much of this context as possible before the attack reaches the data center. 

This is why it is essential to have a unified approach to cybersecurity that spans the campus and data. Cyber attacks are complex interconnected events, and treating the data center security as a separate silo only helps the attackers. However, if we treat the campus and data center as the interconnected resources that they are, we can actually use the complexity of an attack to our advantage as defenders. The more steps an attack has the more chances we have to detect and correlate them.

A user behavior anomaly in the data center is probably not enough on its own to definitively detect an attack, and chasing down every anomaly would probably be a very poor use of an analyst’s time. However, seeing that a host has shown tunneling behavior on the campus network, used knocking sequences that reveal attempts to communicate with a backdoor on a data center server, and also seems to be slowly accumulating data leads to a very definitive diagnosis. 

All of this leads us to a point where we need to recognize the uniqueness of the data center and the threats that they face, while also recognizing that this uniqueness does not make them separate. We should look for the attack techniques that are unique to the data center, while retaining the context of everything we have learned in the campus. This can require some planning, but is very achievable.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet