Sharkfest 2016 with Wireshark 2.0.4 – The Founder - Gerald Combs - A fun perspective and history! (by Tim The Oldcommguy)
Snapshots from Sharkfest - TCP ACKFor Column (by Chris Greer)

A Life-cycle View of Network Security (by Keith Bromley)

With the amount of sustained security attacks launched at enterprises over the last 5 plus years, network security has become an increasingly important topic to understand. This includes new methodologies and technologies that can be used to combat the proliferation of attacks. If you’re looking for a real solution, not just adding more boxes to your network, this is the article you won’t want to miss.

Daily news stories continue to document how enterprises are struggling with preventing breaches to their networks. All you have to do is read the 2016 Symantec Internet Security Threat Report, 2016 Verizon Data Breach Investigations Report, or the 2016 HP Enterprise Cyber Security Report to see that network security continues to fall behind the ability to stop breaches. While the cause of the exact breaches may or may not differ (see the HP report which shows that the most exploited bug in 2014 continued to be the most exploited bug in 2015), what is undeniable is that the current conventional wisdom is not working. It doesn’t matter if you are using physical or virtual networks.

Picture one

For instance, the Ponemon 2014 Data Breach: The Cloud Multiplier Effect report predicts that you are 3 times more likely to be breached than other companies if you have a cloud environment. Not only do breaches affect the company brand, but economic losses continue to mount as well, as the 2015 Ponemon Cost of A Breach:  Global Analysis Report shows.

A life-cycle approach can help enterprises strengthen their security defenses and create resilient security architectures.

The basic concept is that every network has a life-cycle, or different stages that it goes through during the course of its usable lifespan. During those different stages there are distinct activities that should take place that will help strengthen the network. When those activities are implemented correctly, at the proper time, your proactive and reactive capabilities will be as sharp as possible. You can read an ebook on this topic if you want.

Let’s back up for a minute though. In general, IT people are working to protect their networks. Conventional wisdom says to invest in securing your access and architecture vulnerabilities.

This means that these are probably the main thrust of your security focus, correct?

  • Firewalls
  • Intrusion Prevention Systems
  • Intrusion Detection Systems
  • Data Loss prevention systems
  • Penetration testing
  • Forensic recorders
  • SIEMs

And for the most part, the point products do what they say they should do.  Hence, the label conventional wisdom.  So why would I advocate that people should look at network security differently? Mainly because what’s being practiced now doesn’t really work that well, or we wouldn’t be seeing all of the breaches that we are in the enterprise, as mentioned earlier. In fact, according to the 2016 Cyberthreat Defense Report, 86% of the respondents are fed up with inadequate endpoint security and are looking to replace and/or augment these solutions. And according to the 2016 Verizon Data Breach Investigations Report, even with all of these point security solutions in place, law enforcement continues to be the primary way that victims find out that their network security was breached. The second most common method of breach notification still wasn’t the internal security defenses—it was a third party (customer, supplier, etc.). 

So, what’s the problem?  The first problem is that focusing on access and vulnerabilities provides only a microscopic view. This leads to point “solutions” that tend to have multiple problems like:

  • Higher overall costs as you add components piecemeal
  • These “solutions” don’t scale well
  • You can end up with a “cluster of junk” that doesn’t work well together because the solution part usually ends up being missed

If you step back and take a systems approach, or macroscopic view, you can get additional, critical details. For instance:

  • A systems view provides a cohesive architecture that can maximize the benefits of visibility like the following:
    • With a faster MTTR, you can see an up to 80% reduction in your resolution times
    • Application filtering can save bandwidth and tool processing cycles
    • Automation capabilities, which can provide a faster response to anomalies without user administration
  • A systems view also provides for process alignment
  • And a macroscopic view provides documented due diligence to limit the costs associated with a breach

So, there is a better way forward.  Before, we just had Access and Architecture Vulnerability.  Let’s add the other components.  This means that typical network security activities should focus on the following:

  • Access
  • Policies and Procedures
  • Architecture Performance (vulnerability & resilience)
  • Monitoring and Auditing

For instance, policies and procedures should be inserted into the security process as well. Unfortunately, this isn’t always so. In fact, the NTT Group, in their 2014 Global Threat Intelligence Report, found that over 75% of companies studied had no incident response plan. And this wasn’t just small companies. This included many of the Fortune 100 companies.

While a lack of processes may make it easier to implement changes in the network, it has at least two serious issues associated with it. First, lack of processes help create security risks by removing change approval and documentation procedures.  Second, the lack of processes usually results in longer time frames to isolate problems within the network.

In addition to securing architecture vulnerabilities, there needs to be an emphasis on analyzing a security architecture’s performance and its ability to respond in a resilient manner to security threats and breaches. You want to prevent a breach but once it happens (and there is a high probability according to all the reports out there), you need the network to adapt to the threat and remediate the threat as fast as possible. You also want your defenses to be as strong as possible against attacks but be flexible enough to let good traffic pass through.

Monitoring and auditing are also extremely important but often overlooked – which is very strange. If you can’t see the threat, how are you going to respond to it?  You can find an overview of visibility architectures and security fabrics here. Once you combine the security architecture with the visibility architecture, you will equip yourself with the necessary tools to properly visualize and diagnose the problems on your network.

One key concept is to integrate your security and visibility architectures. This will help you to optimize your network in the following ways:

  1. Better data to analyze security threats
  2. Better operational response capabilities against attacks
  3. The application of consistent monitoring and security policies

Remember, the key is that by integrating the two architectures you’ll be able to improve your root cause analysis. This is not just for security problems but all network anomalies and issues that you encounter.

Now, let’s return to the Life-cycle approach. Just as the seasons change during the course of a year, your network has different needs and attributes during the four main lifecycle stages of its usable life. Each of these life-cycle stages may touch on one or more of the four groups of activities I mentioned a minute ago (access, policies and procedures, architecture performance and monitoring).

From a network equipment deployment perspective, there are typically 5 distinct phases: 

  • Pre-deployment (usually in a lab)
  • Installation & Commissioning (where the equipment is installed and turned up in the field)
  • Production Network (which is the steady state operational phase for the equipment/network)
  • Software and Hardware upgrades (which is the change management phase)
  • End of Life

Since End of Life doesn’t really pertain to our discussion, we’ll leave it out and only focus on the other 4 phases. There shouldn’t be any radical concepts here. The only new concept should be that each of these phases has distinct activities associated with them. All too often, people forget, or dismiss that concept. Once they do, they start to miss activities and steps which create the process problems and architecture vulnerabilities we talked about earlier. Understanding these four lifecycle stages and their different security needs will minimize the threat to your network.

Picture two

As I just mentioned, each of the four stages has a separate contribution to overall network security. This is indicated in the blue text in the adjacent life-cycle diagram. Basically,

  1. During the Pre-deployment stage, you are trying to validate whether your solution will solve all of your requirements.
  2. The purpose of the Installation and Commissioning stage is to check that the final solution setup is deployed correctly for your network.
  3. The Production stage is concerned with constant monitoring & testing for aberrant behavior.
  4. Upgrades, the last stage, is focused on testing any changes before you introduce them into the network. Basically, you want to prevent as many self-inflicted injuries as you can.

In the end, it will always depend upon your architecture, company processes, and personnel skillset as to resilient and secure you can make your network. If you want to dig into this further, there is an Ixia case study which illustrates some of the benefits of a lifecycle approach. Don’t forget, there’s also the ebook that provides a solid overview of the lifecycle approach.

KeithAuthor:Keith Bromley is a product marketing manager for Ixia, Inc., with more than 20 years of industry experience in marketing and engineering. Keith is responsible for marketing activities for Ixia’s network monitoring switch solutions. As a spokesperson for the industry, Keith is a subject matter expert on network monitoring, management systems, unified communications, IP telephony, SIP, wireless and wireline infrastructure. Keith joined Ixia in 2013 and has written many industry whitepapers covering topics on network monitoring, network visibility, IP telephony drivers, SIP, unified communications, as well as discussions around ROI and TCO for IP solutions. Prior to Ixia, Keith worked for several national and international Hi-Tech companies including NEC, ShoreTel, DSC, Metro-Optix, Cisco Systems and Ericsson, for whom he was industry liaison to several technical standards bodies. He holds a Bachelor of Science in Electrical Engineering. 

Keith has other popular articles on -