Analytics may boost network security

Lynn Greiner, freelance IT journalist and regular contributor to InsightaaS
Lynn Greiner, freelance IT journalist and regular contributor to InsightaaS

Security is top of mind for most of us. Everyone, it appears, is out to do evil, and to make a profit from it. If it’s not spammers sending ransomware by email, it’s guys who think it’s clever to reproduce the master keys that the US TSA has for our luggage locks. It is getting downright tedious.

Point security products try to help keep us safe, but as Scott Harrell, VP product management for Cisco’s security business unit, noted at the company’s annual end user conference, recent studies have shown that many corporations have 20 or 40, or even 100+ security products deployed to cover the many possible threats, all of which must be monitored and managed. From separate consoles, of course. And even then attackers succeed through other means like social engineering.

It’s enough to make one want to go back to communications via tin cans and string!

Security firms have lately resorted to an unlikely set of technologies – Big Data and analytics – to help them detect and stomp on malicious behaviour. Rather than simply look at files to determine whether they’re good, bad, or unknown, these solutions also look at all network traffic to decide if it’s normal or not. Does machine “X”, in department “Y”, typically talk to this website? Does it normally send large files outside the firewall? How about its data volumes, time of day activity, and the location from which the user logs in? There are dozens of parameters that analytics can use to build a fingerprint of what counts as normal for a user or computer. And if activities stray outside those parameters, the software raises an alert.

It also watches network traffic patterns for different workgroups. It knows where Finance normally interacts, and if one or more machines in the department behave differently, red flags go up.

In fact, networking giant Cisco, which also has a well-regarded security arm, says that the network is THE place to base security. It rightly points out that the huge number of endpoint security products currently deployed just muddy the waters. They often don’t play well together, and so are unable to combine information to conclude that there is (or isn’t) a threat. They don’t see everything that is going on. Cisco argues that the only place where you can reliably monitor exactly what is happening in an enterprise is on the network.

Intel Security is of the same mind. Eighteen months ago, it introduced technology that uses traffic analysis, Big Data, and analytics to deduce whether there’s inappropriate behaviour occurring on the network. It rolled in cloud technologies that bounce suspect files to an online sandbox and attempt, in multiple ways, to detonate payloads before they can do damage in an enterprise.

Even pure analytics vendors are getting in on the act, employing their technologies to keep an eye on corporate networks, in addition to performing more traditional analytics tasks.

dreamstime_xl_7507425 - networkIt’s a harbinger of things to come. As the number of threats continues to grow, and cyber crooks continue to develop techniques to evade detection, we need ways to tell that they’re up to no good, and ways to stop them. They have already figured out how to detect whether malware is in a sandbox (a common way to isolate suspect files), and to prevent activation of malicious payloads until the file is somewhere it can do actual damage.

With the new network-based security, not only can malicious files be identified, if they have previously sneaked onto systems before malicious intent was identified, the software will know, and will take appropriate steps to quarantine and cleanse affected systems.

But, you say, what happens if systems were already infected before the technology was installed – wouldn’t the bad behaviour be the norm? Vendors have thought of this, and instead of recording norms for specific systems, they do so for workgroups. If one machine in Finance behaves differently to its peers, that is logged as anomalous behaviour. It does require initial setup (some products rely on Active Directory groupings), but it helps eliminate the risk that an infected machine would be allowed to continue its “normal” behaviour if it were compromised when the software was installed.

Security companies have also developed machine learning systems that supposedly figure out the network on the fly. However, that can come back to bite you, as we found at the recent Cisco Live! technology conference. The company deployed its smart tech, and let it monitor the network for a week before the conference. So far, so good. But during the keynote on day one, suddenly 28,000 people connected, and the clever software, well trained by a week of virtually no traffic, decided it was under a denial of service attack and locked itself down. Oops.

Frantic admins did the right (and wrong) thing, and shut off the security while they tried to troubleshoot. That restored connectivity, but took away the security layer. Methinks they have some work to do on the configuration and training technology.

In a perverse way, this was a comical demonstration of how dumb “smart” technology can be. Apparently no-one realized that the tools would regard normal conference traffic as anomalous, because it had been trained for a week on a low traffic network. In retrospect, it was entirely predictable. The last I heard, the Cisco team was still troubleshooting to see how they could fix the problem, and meanwhile, the very clever tech was turned off.

This shows us that the smartest tech still lacks one very human characteristic – situational awareness. We humans knew that conference day one would slam the network. The technology did not know when day one was, or that the volume would increase from almost nothing to 28,000 users within minutes. So, it did its job – it stopped a perceived denial of service attack in its tracks. The fact that in the process it cut off legitimate traffic and embarrassed its vendor is not its fault. Developers failed to anticipate the situation.

And that’s the challenge behind network-based “smart” security. Sometimes it’s too smart for its own good. That should be consoling to humans concerned that machines will supplant us, but it also demonstrates how far we have to go.

LEAVE A REPLY