Dan Joe Barry, VP of Napatech, looks at how recent trends in IT may have made thinks better but have also left businesses vulnerable to cyber-attacks.
On August 15, 2012, Saudi Arabia's national oil and gas company, Aramco, suffered a debilitating cyber-attack. More than 30,000 computers were rendered inoperable by the Shamoon virus. US Secretary of Defence Leon Panetta described this virus as the most destructive weapon ever used against the business sector.
Network security is a growing problem in the IT industry today. The very trends that have revolutionised users' access to data are the same ones that are leaving networks vulnerable to attacks by cyber-criminals. No single security product can fully defend against all network intrusions, but a smart combination of existing products can provide a more flexible solution.
Three recent trends in the IT industry have improved the efficiency and effectiveness of digital services: cloud computing, big data analysis and mobility.
- Cloud computing centralises data and makes it accessible anytime, anywhere. Unfortunately, it also provides cyber-criminals with fewer, and more valuable, targets.
- Big data analysis offers a sophisticated overview of complex information; however, such a wealth of sensitive information in a centralized location provides an irresistible target for cyber-criminals.
- Mobility allows convenience; it permits users to access data on the network with different devices, such as mobile phones and iPads. But this severely compromises security as these devices do not have the same protections as the typical corporate laptop.
With increasing data availability, cyber-attacks are becoming more common every year. The cost of these attacks to business, though declining from 2010 to 2011, is still high. According to the Ponemon Institute and Symantec Research, the average cost of a security breach in the United States was $5.5 million in 2011.
Cyber-criminals are becoming smarter, innovating new methods to penetrate defences and often using several different kinds of attacks in combination. For example, a hacker can utilise a distributed denial of service (DDoS) attack as a diversion for introducing malware into a network. In the case of the attack in Saudi Arabia, cyber-terrorists utilized a virus in a spear-phishing attack in an attempt to disrupt international oil and gas markets.
There are many types of security appliances and solutions deployed in networks, each with its own specific focus. However, these solutions are rarely coordinated, which hackers exploit using a combination of attacks.
To successfully defend against this, some kind of coordination is required between the various security solutions so a complete overview can be provided. But, even this is not enough, as detecting zero-day threats (new attacks that have never been seen before) is very difficult. It is therefore necessary to also monitor how the network is behaving to make sure that no attacks have penetrated the security solutions in place. To do this successfully requires that all these solutions are capable of monitoring and reacting in real-time.
Most networks already have monitoring appliances in place, such as a firewall, an Intrusion Detection or Prevention System (IDS/IPS) or Data Loss Prevention (DPL) application. Some products that consolidate these methods into one appliance include Universal Threat Management (UTM) and Next-Generation Firewalls. But single point solutions can only ever address a part of the problem.
Another solution to network security uses the concept of Security Information and Event Management (SIEM) which is based on the centralisation of information from both network and security appliances to provide a holistic view of security. This is a real-time solution, constantly monitoring the network to detect any anomalies that might arise.
That means that both the network and security appliances need to be able to provide data on a real-time basis to ensure that anomalies are detected the moment they occur. This, in turn, means that each of the appliances must be capable of keeping up with growing data loads and speeds.
One of the easiest ways of disrupting the security of the network is to overload the security and network monitoring appliances using a DDoS attack rendering the centralized SIEM system blind. This is a real threat if these appliances are not capable of operating at full throughput. By assuring that they can, you have just removed another potential attack vector.
An attack is underway
The information from network and application monitoring applications can be used to build network behaviour profiles. The customer uses real-time information on network and application usage to detect anomalies as they occur. These anomalies can then be compared to data from security appliances to identify if an attack is underway.
Cyber-attacks on the world economy and infrastructure are becoming commonplace. The adoption of cloud computing, big data analysis and mobility have improved efficiency, but unfortunately they have also exposed critical vulnerabilities in networks. By combining network and security information into a more holistic solution, attacks - such as the spear-phishing assault on Aramco - can be deterred.
Dan Joe Barry is vice-president of marketing at Napatech