<< Back to article Print this page Loading page, please wait...

Identifying the visibility gaps in your security

Brett Moorgas (CSO Online)
10 December, 2014 10:38

‘Once more unto the breach’…When Henry V uttered those immortalised words in Shakespeare’s play; most enemy attacks were fought on the battlefield. Yet in modern times, many ambushes come in the form of cyber attacks that wreak havoc in the shadows. These data breaches affect all organisations, not just governments, and also more commonly small and mid-sized businesses.

According to a recent report by Deloitte, the average cost of a data breach per organisation is almost $2.6 million per year in Australia . Furthermore, in the same report, it was shown that in the past five years over 20,000 data breaches have been recorded locally and this number appears to be increasing.

Last year the Australian signals directorate responded to 940 significant cyber security incidents, which was a 37 per cent increase on the year before. Even more worrying, Australia's chief cyber security defender, Major-General Stephen Day, who is the head of the federal government's new Australian Cyber Security Centre in Canberra, recently revealed that the government has no idea where about 40 per cent of those 940 cyber attacks against the country came from.

What this illustrates is that any organisation, no matter how large or seemingly secure, can become a victim of a cyber attack, as well as experience difficulty in detecting the source of a breach.

Yet alarmingly, there are still cases in which the root cause of a problem is not identified for months after the security incident. Despite these concerning figures, there are solutions available to organisations to help mitigate security risks and incidents.

Weeding through the false alarms

A critical component to the incident response problem is the time associated with weeding through all the false alarms generated by various security devices, including firewalls, intrusion prevention systems, and security reporting agents. The problem is further exacerbated by the growing speeds of networks and network virtualisation, where many security tools simply can’t process data fast enough on 10Gb Ethernet (10GbE), 40GbE, or 100GbE network environments or simply lack visibility.

The key to maintaining granular visibility

The good news is that solutions are available to help maintain granular visibility in such high-speed networks. Such solutions can also correlate network transactions with security alarms to help identify problems faster and decrease incident response times. The key is to integrate lossless network recording systems with existing security tools using feature-rich application programming interfaces (APIs). The APIs help with automating security related tasks.

Security automation is key to decreasing incident response time. Imagine being able to automate the retrieval and correlation of network transactions to any security log event aggregated into a security information event management (SIEM) system, or mapping packet data to any IPS alarm, or pinpointing application threads that trigger a specific application performance alarm. This is all possible now with high-speed lossless recording systems and API integration with SIEMs, firewalls, IPS devices, and Application Performance Monitoring (APM) systems.

NetFlow no longer just for NetOps

In addition, real-time NetFlow generation on dedicated appliances is proving to be a good solution where full recording options are not available due to privacy policy conflicts. These solutions can provide much better network visibility than legacy NetFlow implementations that rely on network sampling, especially over 40GbE and 100GbE network environments. NetFlow is coming back in a strong way to provide security teams much needed visibility, NetFlow isn’t just for Network Operations anymore.

Overall, mainstream security products are becoming more open to integration with third party solutions and high-speed network recording systems are becoming more affordable. As a result, the security automation described above will become more prevalent among security operation teams as time goes on.

Despite the rise of security incidents and increasing costs in Australia, the security industry as a whole is improving, and there is much more collaboration than ever before. Moreover, significant improvements are being made among hardware and software vendors that should make the industry feel very optimistic about its capabilities to decrease incident response times moving forward and ultimately limit the damage of cyber attacks.

This article is brought to you by Enex TestLab, content directors for CSO Australia.