Adding virtual and cloud visibility can turn the tables on attackers: Gigamon CTO

The stealthy design of today's advanced persistent threats (APTs) has given potential targets an hint of an advantage that could reverse the longstanding “asymmetry” between attacker and defender, the chief technical officer of security firm Gigamon has noted as organisations increasingly re-evaluate their security defence to accommodate the new rules of malware engagements.

These new rules reflect a changing reality: whereas target organisations used to be at a disadvantage because attackers only had to be successful in evading defences once, those targets can now turn the tables because malware's design has shifted from bombardment to stealth – and, assuming the target network is instrumented well enough with sensitive security-analytics tools, one slipup can be enough to give the malware away.

“Even though organisations are increasingly spending money on cybersecurity technologies, breaches are continuing to happen,” Gigamon CTO Shehzad Merchant told CSO Australia. “Organisations are stepping back and reevaluating their assumptions – and beginning to work on the assumption that there is no such thing as secure anymore.”

“Because today's malware attempts to propagate within the organisation in a very stealthy manner, it has to evade every possible form of detection – but the defender only has to find one fingerprint that can lead them to the attacker.”

There is a caveat, however: finding that fingerprint requires that organisations have strong and consistent visibility across their entire data infrastructure – including physical, virtual, and cloud-based infrastructures. Security protections have historically been weakened by functional gaps between the way each environment is managed, leading vendors like Gigamon to focus on building consistent platforms that seamlessly extend across every one of these components.

By positioning themselves across every part of the network, such tools allow companies to use virtual 'taps' to monitor traffic throughout the environment. This capability, Merchant said, ensures that attackers can't set up their own communications channels outside of the broad network frameworks that companies use.

“A lot of security companies, whether focused on firewalls, APT protection and so on, are actually building very sophisticated solutions,” he said. “But their solutions are predicated on seeing the right traffic. If they don't see the right traffic, their solutions are effectively useless.”

In filling out its monitoring story, Gigamon recently forged a partnership with fast-growing analytics firm Splunk, whose increasing focus on cloud analytics and machine learning-based analysis has given it a leg up in the exploding security-analytics area.

Gigamon is “100 percent channel focused” and has been growing its Australian team in recent months in anticipation of stronger takeup, largely on the back of the growing awareness of the role of security analytics in improving corporate response to security threats.

Yet despite growing mindshare, many organisations were realising that growing volumes of traffic present their own challenges, Merchant added: “the network infrastructure upgrade cycles and depreciation cycles for network infrastructure are very different from the upgrade cycles that are being used to secure them,” he explained, noting the importance of deep packet inspection (DPI) and filters that can help trim the flood of traffic to more manageable levels.

DPI capabilities alllow monitoring tools to recognise and divert non-threatening traffic – for example, Netflix streaming videos – away from security filters so they can focus on the types of traffic that are more relevant to the enforcement of security. By using this approach to triage increasing volumes of network traffic, Merchant said, companies can keep up with growth and meaningfully concentrate their revised security architectures on the entire network – and not just the perimeter – to increase the likelihood that they will pick up on that one fingerprint that gives away an otherwise-stealthy APT.

This approach would be crucial looking into the future, as volumes and infrastructure complexity continue to increase. “The biggest challenge in my view continues to be the fact that many organisations are still investing heavily and relying on a perimeter-centric model,” Merchant said.

“As we look at 2016, it's going to be increasingly important to have security solutions that start to look inside the security perimeter for malware. Otherwise, the volume and scale of breaches is just going to continue to grow.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Gigamon CTOGigamonadvanced persistent threats (APTs)cloud visibilitycyber attackctomalware engagementssecurity defenceShehzad Merchant

More about APTCSODPIGigamonNetflixSplunk

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place