Network Behaviour Analysis: A New Perspective on an Old Enemy
With regulatory compliance high on the corporate agenda, standards such as Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) require data to be handled in a secure fashion. However, not only do networks need to be secured, they must be seen to be secured via comprehensive reporting. It seems that legislature and governance are constantly playing catch up with the increasingly threatened online world. Although these new standards are an important and positive development, they fall short of recommending specific technologies that might help to maintain a secure digital infrastructure.
Traditional security products have concentrated on protecting the network perimeter. Although some organizations use firewall technology on their internal networks, it is unfortunately far more common to encounter a lack of security at the network perimeter. Implementing end point security is one solution to this gap in defense, but this approach can to be relatively difficult to manage in large networks. Users require different applications so it is unlikely that a single ‘one size fits all’ desktop configuration will be realistic. Multiple desktop configurations and user profiles are the norm and require multiple endpoint security policies.
Before the widespread use of PCs and the Internet, company networks typically ran in isolation using a plethora of proprietary protocols and hardware. This provided security by obscurity. Hackers and virus writers had to learn about different vulnerabilities for each new target. Their target surface area was limited to the system they were currently focused on. Now, we live in a world where the PC dominates the enterprise and the Internet is an essential part of business life. However, this uniformity of technology has levelled the playing field for hackers, virus writers and other vagabonds of the information world.
Some of the best-known security applications such as anti-virus have depended on signature engines to identify threats. Signature engines compare production data to a list of patterns known as signatures. If the signature engine spots a match then it alerts or takes some other mitigative action. Signature-based threat identification is very effective for known threats but somewhat limited when it comes to identifying the unknown. This exposes a fundamental weakness in many signature engines. One way around this is to continually update the list of signatures. Sometimes there may be a noticeable gap while anti-virus struggles to create a suitable signature to identify a new threat. Many viruses and worms are easily disguised so that anti-virus engines cannot detect them until their next signature update.
Firewall vendors have added anti-virus and signature-based content filtering but this is limited to the perimeter of the network. The majority of organizations do not have internal firewalls to protect their wide area networks (WANs) and other private infrastructure. Even when they do, they are still limited by the frequency and accuracy of signature updates.
Conventional enforcement tools such as firewalls, anti-virus, content filters and authentication systems are widely accepted as essential components of an organization’s security arsenal. As networks become increasingly complex, it is questionable whether these tools are sufficient to quickly identify and thwart these sophisticated threats. A recent trend has been the adoption of network behaviour analysis (NBA) tools for both security and network management purposes. NBA differs from traditional traffic identification systems in that it looks at what the traffic is doing rather than what it looks like.
Behaviour analysis tools address the shortcomings of the traditional security products, not by replacing them but by complementing them. In fact some anti-virus and firewall manufacturers already include basic behavior analysis characteristics in their software.
NBA products collect and analyze network telemetry to provide traffic analysis and flow reporting. This is achieved by applying statistical algorithms to the traffic information. Traffic anomalies classed as network probes are often seen as a precursor to attacks. Host or port sweeps are easily identified from NetFlow or sFlow data feeds. In a case where the latest attacks, for example an unknown worm, are not yet identified by traditional intrusion detection or prevention signatures, NBA systems can immediately recognize the worm’s unusual traffic patterns. Worms tend to seek out neighbor hosts to infect the network. NBA applications see these attempts and provide alerts to the security administrator.
One of the most attractive features of NBA as an intrusion detection technology is that it is no longer tied to the perimeter of the network. A single NetFlow or sFlow collection device can monitor multiple internal and perimeter points on the network simultaneously. Once the traffic anomalies have been identified, regulatory standards often require that the session is resolved to a username in order to provide full visibility of user actions. Complementary products are already beginning to appear to address this exact requirement. Some NBA manufacturers have even developed early partner relationships with manufacturers of identity management systems. The net result of this is the development of more seamless solutions, which resolve anomalous traffic down to the username rather than just to an IP address. Potentially, this will operate in both directions so that usernames may also be resolved to IP addresses in order to determine surface area covered by a suspect username. This will undoubtedly result in improved troubleshooting ability and speedier remediation of security related issues.
In our experience, many large enterprises are starting to incorporate NBA into their security strategy. This trend is supported by Gartner, who predicts that 25% of large enterprises will implement NBA solutions this year.