APTs Require Greater Awareness of Network Activity
November 18, 2011 Leave a comment
- Investigate network forensics and anomaly detection to gain better insight into network activity and ferret out APTs.
- Work more closely with network operations to better understand network behavior and share insights for faster resolution of low-and-slow breaches.
As security groups come to the realization that advanced (or adaptive) persistent threats (APTs) are becoming an unfortunate fact of life, they may turn to additional tools that provide better visibility into what is actually happening on the network. Survey after survey into security practices within organizations concludes that, more often than not, security pros have little visibility and/or understanding into what is actually taking place on the corporate network. Even those security groups that employ SIEM tools have a limited view into events taking place on the network. Log files and security events only provide a small glimpse into what is taking place, because they lack context. Still, that has not dampened the security industry’s enthusiasm for SIEM technology. In the same week in early October, McAfee announced its acquisition of SIEM provider NitroSecurity, while IBM acquired Q1 Labs. Those acquisitions followed HP’s acquisition of SIEM market leader ArcSight by about a year.
There are two types of tools that enable greater insight into network activity, especially as it relates to security. The one that has seen greater attention over the last year as a result of headline-grabbing breaches is network forensics. The well-publicized RSA authentication token breach brought to light one such vendor, NetWitness, which RSA quickly snapped up when it found out how useful the tool is in determining how its attacker gained access to its intellectual property. NetWitness (now RSA) competes in the network forensics market niche with independent providers such as NIKSUN, Solera Networks, and AccessData.
Another avenue to gain better visibility into network traffic is through network behavior anomaly detection (NBAD). Over the past few years, that market niche also saw some consolidation, with only pure-play provider Arbor Networks still left standing. That market segment never really found its legs, in part because it straddled both the security and network operations groups within a larger IT shop and in part because it requires a significant level of expertise to exploit (the same can be said of network forensics). To be fair, IBM’s Q1 Labs provides more than just SIEM technology, because its heritage came out of the NBAD world and it has worked hard to gain greater security intelligence by gathering a much broader set of data via deep packet inspection, correlated at high speeds with application and user activity. Moreover, it holds great promise as a part of IBM, which will apply its analytics technology to the data gathered and correlated by Q1 Radar.
As security groups update their information security strategies (as they should be) to adjust for the new and evolving threat landscape, they should investigate the benefits of these types of tools, keeping in mind that they require specific expertise in order to gain the best results. At the same time, security professionals should work more closely with network operations to understand network behavior and share insights as well as network monitoring tools; working from the same set of tools gives both sides a common language and experience, allowing better coordination when a suspected low-and-slow breach has happened.