The stealthy design of today's advanced persistent threats (APTs) has given potential targets an hint of an advantage that could reverse the longstanding “asymmetry” between attacker and defender, the chief technical officer of security firm Gigamon has noted as organisations increasingly re-evaluate their security defence to accommodate the new rules of malware engagements.
These new rules reflect a changing reality: whereas target organisations used to be at a disadvantage because attackers only had to be successful in evading defences once, those targets can now turn the tables because malware's design has shifted from bombardment to stealth – and, assuming the target network is instrumented well enough with sensitive security-analytics tools, one slipup can be enough to give the malware away.
“Even though organisations are increasingly spending money on cybersecurity technologies, breaches are continuing to happen,” Gigamon CTO Shehzad Merchant told CSO Australia. “Organisations are stepping back and reevaluating their assumptions – and beginning to work on the assumption that there is no such thing as secure anymore.”
“Because today's malware attempts to propagate within the organisation in a very stealthy manner, it has to evade every possible form of detection – but the defender only has to find one fingerprint that can lead them to the attacker.”
There is a caveat, however: finding that fingerprint requires that organisations have strong and consistent visibility across their entire data infrastructure – including physical, virtual, and cloud-based infrastructures. Security protections have historically been weakened by functional gaps between the way each environment is managed, leading vendors like Gigamon to focus on building consistent platforms that seamlessly extend across every one of these components.
By positioning themselves across every part of the network, such tools allow companies to use virtual 'taps' to monitor traffic throughout the environment. This capability, Merchant said, ensures that attackers can't set up their own communications channels outside of the broad network frameworks that companies use.
“A lot of security companies, whether focused on firewalls, APT protection and so on, are actually building very sophisticated solutions,” he said. “But their solutions are predicated on seeing the right traffic. If they don't see the right traffic, their solutions are effectively useless.”
In filling out its monitoring story, Gigamon recently forged a partnership with fast-growing analytics firm Splunk, whose increasing focus on cloud analytics and machine learning-based analysis has given it a leg up in the exploding security-analytics area.
Gigamon is “100 percent channel focused” and has been growing its Australian team in recent months in anticipation of stronger takeup, largely on the back of the growing awareness of the role of security analytics in improving corporate response to security threats.
Yet despite growing mindshare, many organisations were realising that growing volumes of traffic present their own challenges, Merchant added: “the network infrastructure upgrade cycles and depreciation cycles for network infrastructure are very different from the upgrade cycles that are being used to secure them,” he explained, noting the importance of deep packet inspection (DPI) and filters that can help trim the flood of traffic to more manageable levels.
DPI capabilities alllow monitoring tools to recognise and divert non-threatening traffic – for example, Netflix streaming videos – away from security filters so they can focus on the types of traffic that are more relevant to the enforcement of security. By using this approach to triage increasing volumes of network traffic, Merchant said, companies can keep up with growth and meaningfully concentrate their revised security architectures on the entire network – and not just the perimeter – to increase the likelihood that they will pick up on that one fingerprint that gives away an otherwise-stealthy APT.
This approach would be crucial looking into the future, as volumes and infrastructure complexity continue to increase. “The biggest challenge in my view continues to be the fact that many organisations are still investing heavily and relying on a perimeter-centric model,” Merchant said.
“As we look at 2016, it's going to be increasingly important to have security solutions that start to look inside the security perimeter for malware. Otherwise, the volume and scale of breaches is just going to continue to grow.”