Key Message: Automation, innovation, reaction, and expansion are the foundation for obtaining meaningful network traffic intelligence in today’s extended enterprise.
Executive Summary
Given the continued doubling of internet traffic volume and rate (with no end in sight) and the disappearance of defined enterprise network boundaries, business leaders are faced with the daunting challenge of having to understand the environment within which their critical services, applications, and systems operate. In today’s extended enterprise, many of these are being executed by service providers external to the organization. Such understanding includes anticipating the risks and potential impacts that leaders need to mitigate, even though they are not in control.
In this podcast, Derek Gabbard, Co-founder and Technology Director for Lookingglass, discusses how internet traffic monitoring, analysis, and visualization can help organizations develop better situational awareness to anticipate and defend against cyber attacks.
The Internet’s Increasing Traffic Volume and Rate
Internet traffic is set to double every year [LG 2009a] for the foreseeable future, both in volume and rate. This is, in part, caused by:
Determining What Security Actions to Take
It is difficult to create, define, and execute a meaningful security posture when an organization cannot easily determine where its services and applications are being executed (such as when using cloud computing).
Requirements for network security, both internal and external, derive from:
Becoming More Situationally Aware
Historically, organizations hosted their own services and applications, and had control over how they operated.
Today, components of operationally critical systems and services are being executed “in the cloud,” and are therefore out of the owning organization’s control.
Members of the Financial Services Information Sharing and Analysis Center indicate difficulties in understanding network traffic routing and topology for services that are hosted beyond their borders.
Other concerns include:
Situational awareness means having knowledge and an appreciation of:
Actions Based on Situational Awareness
Armed with this information, organizations can start to identify:
Leaders can in turn begin to answer these questions:
With this understanding, you can ensure that:
This understanding is key to anticipating the risks and impacts that can result from cascading events such as connectivity issues between service providers.
Introducing Four Key Factors/Motivators for Achieving Situational Awareness
As detailed in [LG 2009a], these factors are defined by the acronym AIRE:
Lookingglass is positioning AIRE as the next security “device” that will eventually become ubiquitous, like firewalls are today.
AIRE is intended to provide meaningful results of network analysis that describe operational capabilities and help identify and manage risks.
Automation
Automation of the capture and analysis of network traffic and data flows is essential for dealing with the rate and volume of data.
Automation depends on the ability to build a backend data fusion capability that takes individual network traffic data sets and creates relationships among them. The supporting automation tools will provide a capability for significant and relatively quick ingestion of additional and new network data.
Automation approaches derive from how fusion is done manually by expert analysts and turning this expertise into an automated system process. The intent is to perform in several seconds what would take an individual analyst several weeks to complete.
This type of an approach can be scaled to handle increasing volumes and types of data.
Automation will support two perspectives:
Innovation
Innovation primarily centers on visualization and presentation. Good progress is being made using correlation engines to aggregate vast amounts of data into individual, presentable events.
There have also been advances in the amount of data that packet capture and network forensic devices can handle at one time.
What is needed is a breakthrough in tools for meaningful visual representation of information that can be acted upon by different levels of users.
Tools built for enterprise-level network analyses are insufficient when attempting to address network traffic at the levels experienced by the US Department of Homeland Security’s US-CERT or Einstein data from over 100 different agencies.
Reaction
Given timely data collection and analysis, and innovative approaches for data visualization and presentation, the next logical step is being able to react in real time (or close to real time).
There are generally two reasons to collect data:
Expansion
In the struggle between attackers and defenders, defenders are typically playing catch up. Expansion is about becoming more forward looking and getting better at anticipating what the next attack vector might be.
Attack methods and patterns that serve as today’s baseline will be obsolete in five years, likely not even in the picture
Modularity in support of automation, visualization, and expandability is key. You also need to take size, speed, and scale into account.
Examples include being able to easily address upcoming changes in the core routing protocols of the internet such as secure BGP (Border Gateway Protocol) and secure DNS (Domain Name System). AIRE approaches need to be developed with these types of changes in mind.
Staying in touch with the attacker communities and what they are discussing is useful for all security analysts.
Resources
[LG 2009a] Network Analysis 2.0: Staying Ahead of the Threat Curve with AIRE, Lookingglass, 2009.
The Cyber Intelligence Mecca: Ten Rules for Achieving Cyber Situational Awareness, Lookingglass, 2009.
Lewis, Jason & Gabbard, Derek. Network Topology Discovery and Exploitation, Lookingglass, 2009.
BlackHat conferences and community
DEFCON conferences and community
CERT's Network Situational Awareness website
CERT's Network Situational Awareness open source tools
CERT's FloCon Conference (includes past conference proceedings)
