There has been much written about the Sony breach, as well as a growing number of other less damaging compromises (at least we hope) where the perimeter was thought to be secure but the interior was left unprotected. For example, incidents reported by medium enterprises (those with revenues from $100 million to $1 billion) grew 64 percent between 2013 and 2014, with cost per incident growing by $53%1. Small enterprises, in fact, reposted less, due to what many say is an underinvestment in tools, with estimates that 71 percent of attacks go unreported. Given today’s interconnected business ecosystem, this is indeed a dangerous situation. SDN security (SDN-based network security) with in-line analytics offers a solution.
The idea of interior protection is not new, and while some vendors do in fact focus on delivering network packet brokers/visibility fabrics, penetrations abound since these solutions are reactive, instead of proactive. If the keys to the kingdom are compromised, such as the sys admin’s passwords, what can the network do for protection as opposed to relying on human intervention? Today, intrusions happen too fast for anyone to respond effectively, and terabytes can be siphoned off overnight. Unfortunately, the gap is widening between the speed at which compromises happen and that at which they are discovered. The percent of breaches that have occurred in a matter of days has grown from 75 percent to 90 percent over the last nine years, while discovery in the same time window has remained below 25 percent. With some of the more serious, professional attacks, discovery may take months. By some estimates, in 2014, the negative direct impact on the global economy was up to $575 billion, and the potential IP loss was up to $2.2Trillion! That’s a “T.”
Once the infiltrator is inside the network, what does this look like, and why are existing tools incapable of providing real-time protection? Visibility fabrics consisting of taps and collectors are deployed in parallel to the actual data connections and are not integrated into the network control plane. They are also capable of only sampling a portion of the data. For example, a 48-port 10G TOR switch may have one 10G port spanned to the visibility fabric. These two issues prevent today’s visibility fabrics from being used for real-time protection.
As an example, assume the taps recognize that Host A is sending way too much traffic to Host B, external to the network. Maybe Host C is under “syn” attack from outside of the network. Or, more commonly, Host D has some security vulnerability, has been compromised, and is now acting a vector for an attack. Taps may track this, but then send the data to a correlation platform that informs the IT manager that something is awry. They don’t integrate with the control plane, they have no historical context, and thus the feedback loop is broken.
The manager must then understand just where in the network the attack is taking place, and manually reconfigure the switches and routers. Remember… the perimeter is thought to be secure, so interior policies are not too restrictive. And no single device really has visibility into the application flows themselves. They do what they are designed to do, forwarding packets hop by hop.
CIOs recognize that current SDN security approaches don’t scale or provide necessary responsiveness. At the recent ONUG in NYC, attendees of the Overlay working group tagged end-to-end monitoring as their top un-met requirement3.
SDN and network/flow programmability offers a solution. Deploying “virtual” probes in-line with the data traffic results in real-time application visibility. The IT manager can craft a set of rules to take immediate effect based on outlier analysis, and the network feedback loop is now immediate, bypassing the delays of human intervention4. The process is as follows:
- Establish baseline at different times/dates and durations
- Invoke ongoing analytics to detect deviations
- Invoke native rules or automatically pass to hosted intrusion detection software for further analysis and action
- Automatically block, copy, or throttle the suspicious traffic
Additionally, the information gathered and steps are taken are not just points in time. The ability to look back in time, a rich forensics capability, is also part of the embedded solution. Luckily, there is now an awareness that this new class of tools exists, and their role in protection, detection, and response is now a CIO imperative.
Subscribe to our updates and be the first to hear about the latest blog posts, product announcements, thought leadership and other news and information from Pluribus Networks.
About the Author
Alessandro is the Vice President of Product Management at Pluribus Networks. He has over 17 years of engineering, technical marketing and product management experience in the networking industry. Prior to joining Pluribus, Alessandro served as the Director of Product Management for several of Cisco’s Data Center and Enterprise networking product lines, including the launch of the latest generation of Catalyst 6800 core switching platform. His specialties include Datacenter Networking and High-Speed Ethernet technologies, where he contributed in shaping the 40GbE and 100GbE IEEE standard. Alessandro’s main responsibilities at Pluribus include managing the Pluribus product portfolio and technical marketing activities.