Morphing Network Security: 5 Takeaways from an SC Media Webinar

threat hunting and security analytics

If you dropped a CIO from the 1990s into the modern data center, chances are they’d be overwhelmed. So much has changed, because technology changes so quickly.

Similarly, the growth and innovation of cybersecurity would probably be overwhelming for that person. That was how SC Media set up a webinar with our own Druce MacFarlane titled: Morphing Network Security.

If you missed it, here are some key points covered during the session.

1) Intrusion detection and prevention are morphing

Rumors of the death of the intrusion detection and prevention (IDS/P) market are greatly exaggerated.  The market has been growing at a healthy rate.  Depending on whose research you believe, researchers estimate the combined market is valued at somewhere between $2.7 billion and $5 billion with roughly 13% compound annual growth.

Despite the growth, there are some challenges.  The sector has lacked innovation as independent IDS/P providers have been acquired and integrated into the firewall. Many of these tools have earned a reputation for being chatty, firing trivial false positives, and burying security teams in an alert deluge.

There is a clear market need for new innovation in a standalone IDS/P that will detect, hunt and prevent threats.

2) Security must consider network behavior

All security problems can be traced back to trust, but hackers continue to find ways to erode it.  For example, two-factor authentication using mobile phones were thought to be a solution for protecting privileged access.  Yet with social engineering, hackers have figured out how to get around it and gain access through SIM card replacement.

This has implications for a corporate network. With the advent of cloud, BYOD and other trends, at some point, users are going to plug a device – that IT doesn’t manage – into the corporate network.  What was once considered a trusted network protected by a firewall, is no longer safe.

A sound countermeasure is to examine network behavior.  If a user has rights and permissions to data, but starts doing things the user doesn’t normally do – accessing servers or exporting large volumes of data – that is a red flag that merits a closer look.

3) Security analytics are only as good as the data

Security information and event management (SIEM) were supposed to be able to provide correlations that would lead to new insight.  Enterprises started stacking artificial intelligence or machine learning on top and feed them with mounds of data in hopes of supporting threat hunting.

The problem with this is, much of the data is homogenous and that limits correlation capacity.  As it turns out, security teams need to collect data they didn’t realize would be relevant to an alert – such as what a user was doing when their device was infected and where did they go next?

If, for example, you saw WannaCry landing on an endpoint, knowing it is there is good, but also knowing how it got there, and where it went afterward, is very useful.

See these related posts:
Bro IDS: 7 Takeaways from BroCon 2017
Threat Trends: Nation State Capabilities for the Casual Adversary
The Bricata Security Solution for Healthcare Organizations

4) Product extensibility and interoperability are imperative  

Antivirus almost went away because of the very narrow focus.  Focus isn’t necessarily a bad thing, but the security products that continue to deliver value to enterprises over time are flexible.  You’ve got to be able to defeat the threats of today and be adaptable to meet the changing needs of tomorrow.

A tangential point is interoperability, which is severely deficient in the cybersecurity space.  Research shows some organizations have 25 or more security tools and none of them talk to each other.   Enterprises need to be able to choose products that best solve their problems with the comfort of knowing those tools will share the data.  After all, the data collected is the organization’s intellectual property.

5) There’s more than one way to reduce risk

Many pundits criticized Equifax for not patching a vulnerability fast enough.  Better organizational relationships between security and devops could help, but change management and control processes exist for a reason.

Big organizations with complex IT infrastructure prefer to test new patches before implementing them in a live environment to ensure these don’t cause another problem. However, this overlooks the fact that that aggressive monitoring would dramatically the reduce risk.

As our own Druce MacFarlane wrote in a commentary for CSO, the detection rule for Apache Struts, the vulnerability at the center of the Equifax incident, was published a day after it was discovered.

* * *

The event lasted just about 30 minutes and the recording is well worth a listen.

If you enjoyed this post, you might also like:
Bricata in Plain English: SANS Network Security Interview

Back to Blog

Bricata and Garland Technology Announce Partnership
Technology Partnership delivers total network visibility and threat hunting to accelerate detection and response
+ +