Find it Before They Do

Hello and welcome to this network visibility resource page. The intent of this webpage is to help IT network and security personnel better protect their network.

One of the top questions on the minds of network security personnel is “how do I reduce my security risk?” Even for smaller organizations, this is important because EVERY network has a weakness. But do you know where you are the most vulnerable? Wouldn’t you like to fix the problem now, before a hacker exploits it?

There are four key areas to focus on in regards to this quest:

  1. Deploy inline security tools at the perimeter of your network to prevent intrusions
  2. Make sure that your threat investigation tools are seeing everything they need to
  3. Enable threat detection tools to quickly and easily investigate indictors of compromise on your network
  4. Use breach and attack technology (BAS) to actively search for threats

First, hopefully you are deploying inline security tools – like a web application firewall (WAF), packet decryption, and intrusion prevention system (IPS). These tools are essentially mandatory now because of the complexity and depth of subterfuge used in modern security attacks. However, a common complaint though is the complexity involved in the deployment of inline security tools. This is where you will want to deploy network packet brokers (NPBs) that can assist with built-in decryption, high availability and fast fail-over capabilities (as well self-healing technology), and the ability to pass incoming traffic to one or more security tools for analysis. When it comes to inline functionality, Keysight Technologies has one of the best packet brokers on the market.

Secondly, you should determine if your network security tools are seeing everything they need to? Are you sure? Due to technology choices that you make, your threat investigation tools, like an intrusion detection system (IDS), could be missing 60% or more of your security threats and you won’t even know it. This is because some network packet broker vendors use CPU-based architectures instead of FPGA. These CPU-based architectures can end up dropping packets because the CPUs get overloaded when run at full rate or when non-standard traffic encountered. This missing data contributes to the success of security threats because the IDS or other tool can’t tell for sure what is a threat or not. See this video for a deeper dive into this topic. Just for the record, Keysight uses an FPGA-based solution that eliminates all of the problems of CPU-based solutions.

A third consideration centers around the plan you have adopted for internal network threat detection, i.e. out of band data monitoring. Good threat hunting solutions require the analysis of packet data. This is because packets don’t lie. Log files can become corrupted, deleted or overwritten either accidentally or by certain strains of malware. Another common thought is to use flow data. Unfortunately, flow data doesn’t provide enough detail to isolate most security threats. This takes us back to packet data as being the only real source of truth.

The downside of packet data is the time taken to analyze all of the packets. This is where the right packet broker can be extremely useful. While most packet brokers filter data based on Layer 2 through 4 of the OSI model, a good packet broker will filter on Layer 7 – the application layer. This type of data screening allows you to quickly remove uninteresting data from the search path of your threat analysis tools. In addition, packet deduplication can be applied to further reduce the amount of extraneous packet. Individually, both of those features can improve the efficiency of your security tools by up to 35 to 40%, depending upon how your security architecture is set up. This level of functionality within a packet broker now makes the threat hunting task much more manageable.

Featured Articles

A final fundamental consideration is how do you automate the search for threats on your network? As just mentioned, packet-based threat hunting solutions are very useful. However, most security engineers are also going to need a different type of security tool that can be used to reduce risk by finding vulnerabilities that you can’t see and that your inline security tools didn’t stop at the perimeter of the network. This is where breach and attack solutions (BAS) can be used. The right type of BAS solution can be set to run recurring tests of security defenses. A good BAS solution will collect the results from these security scans and pass specific insights directly on to security tools to process.

No matter how well your security architecture has been set up, you most likely have some sort of security issue. To avoid becoming another security breach statistic, you need to find your security weakness before a hacker finds it for you.

When you’re ready, take the Keysight NPB challenge and see what you have been missing. You can contact Keysight here.

You’re not anonymous to hackers – find your security issues before hackers find them for you.

Are you ready to see what you have been missing?