Security Teams Need to Maintain Packet-level Visibility Into All Traffic Flowing Across Their Networks
The most destructive disaster is the one you do not see coming. Before modern meteorology, settlers along the Atlantic coast had no warning when a hurricane was upon them. There was no way to escape from the titanic forces of wind and rain. Now, scientific instruments such as radar, barometers and satellites can see trouble brewing halfway across the ocean, giving residents time to evacuate and save lives.
While there is no evacuating cyberspace to avoid a storm of hackers, prior warning gives security teams a chance to stop cybercriminals before they can wreak havoc and make off with sensitive customer data or company secrets. There is an all too common adage that it is not a question of if a company will be hacked, but when they will find the hack. The realities of the cyberspace make it too difficult to reliably keep hackers out of corporate networks. That is not to say security teams should give up, but rather that they need to shift their goals.
Instead of focusing on stopping hackers before they get in, security teams need to move the real contest to their home turf where they have the real advantage. Winning is about stopping hackers from leaving with stolen data more than it is about keeping them out.
Achieving this requires security teams to make a concerted effort to expand their visibility on their systems to better understand hacker activity. In a properly set up system, one mistake on the hackers’ part inside the network will reveal their presence and make them easy targets to block.
Everything the light touches
The first step in gaining enough visibility to address this new way of approaching security is to make sure that security teams have visibility into the digital assets under their control. This sounds like a simple prospect, but it is growing increasingly complicated. In the old days, just keeping track of the laptops and desktops doled out to employees for their daily work was enough, since servers were secured in the basement behind layers of firewalls and other security filters.
Modern IT systems now have to contend with all of the above, in addition to mobile phones and tablets, IoT devices and cloud servers, not to mention remote workers accessing the corporate network from dispersed locations. Security teams need to make sure they are keeping track of all of the devices that can access their networks and make sure all are behaving normally.
The easiest device to hack is the one that no one is watching. A device that has been forgotten and neglected under the mountain of other responsibilities IT and security teams must contend with is a ripe target for hackers to establish a foothold and gather intelligence about a network before executing the final phase of their attack.
Building higher fences
A good first step to maintaining visibility is to conduct an inventory of all devices and systems under the company’s control, everything that could access the network (including wireless printers). This requires constant maintenance as new cloud resources spin up and down but makes it easier to track all points of access to the network. Restricting access to the network to only this short list of devices that the security team can monitor is a good step to making it harder for hackers to sneak by unnoticed.
Once that list is in place it is also important to monitor activity at the network level. That way every new interaction can be watched carefully for signs of malicious intent. Cybercriminals do not know the ins and outs of the network the way that the security teams who work with it every day do. Intruders are groping their way through the dark, not knowing what they will find with every ping. Network defenders can turn this to their advantage by looking for exploratory activity coming from unusual places such as automated devices or employees in non-technical departments. It is also effective to deploy decoys like honeypots that tempt intruders with promises of a big payload but actually alert security teams to the unwanted activity.
It is also increasingly important for security teams to pay attention to encrypted traffic. While encryption is an important way to maintain the secrecy of data in motion, it is also a tool for cybercriminals to hide their malicious activity. Security teams need to maintain packet-level visibility into all traffic flowing across their networks, even if it encrypted so that they can spot bad actors. The most effective way to do this is to install a dedicated decryption solution with the packet filtering solution on the network so that decryption only happens once. The decryption and filtering combination creates a center of excellence that specializes in sorting data. This ensures that other critical devices on the network such as firewalls and IPS tools are not bogged down with extra processing. It is also important to make sure decryption solutions are applying the latest encryption communications updates and standards to catch any network traffic, malicious or benign, using those services.
You cannot protect against that which you cannot see. In the ever more complicated world of modern IT networks, visibility is the increasingly pressing challenge that security teams need to solve to stop cyber attacks. The key is to simplify the problem as much as possible and tackle it from multiple angles. The same way that weathermen do not rely on a single data point to predict a storm, security teams need to see their networks via multiple data streams to make informed decisions that protect their organizations.