What VARs Need To Know About Advanced Threat Detection Solutions

By Dan Joe Barry, VP Positioning and Chief Evangelist at Napatech

The WannaCry ransomware that just took the world by storm is an example of the rise in types, frequency and severity of malware that organizations must address as part of their overall cybersecurity strategy. Well-informed VARs will become a valuable resource in the ongoing fight to stay abreast and ahead of cybercrime.

As the WannaCry worm demonstrates, malware does not discriminate; it will infect any network in any country, given the opportunity. Many recent factors have converged to create greater complexity and threat opportunity in the network, undermining the effectiveness of security prevention solutions. For instance, Bring Your Own Device (BYOD) and cloud computing provides new opportunities for attackers.

One of the latest developments is the non-malware attack. In this scenario, no malware is downloaded to the user’s computer. Instead, a malware script is activated that exploits vulnerabilities in flash, web browsers and other existing tools on the computer. As many of the security prevention solutions installed are focused on preventing malware download, this attack nullifies the effectiveness of a large part of the security architecture.

Outsmarting Malware with Detection

After analyzing user and network behavior, an additional layer of advanced threat detection can be deployed to complement these security prevention solutions. These internal advanced threat solutions rely on continuous monitoring of network activity to first establish a profile of normal network behavior and then compare real-time activity to this profile to detect anomalous behavior. When used in conjunction with the information from other security solutions, it can provide the first indication that a breach has taken place.

Since this solution does not rely on detecting file downloads, it is particularly effective in combating non-malware attacks. It works by detecting activities that are out of the ordinary, giving the security team the basis for further investigation.

To do this, the solution must be able to analyze all network traffic in real time. This requires packet capture solutions that can deliver each and every packet for analysis, even at speeds up to 100G.

Capturing Packets

When a breach is detected, the CISO will expect the security team to be able to report exactly what happened, when it happened and why it happened – within a matter of hours. Unfortunately, most security solutions today are built to prevent and detect threats in real time or at least near-real time. The ability to reconstruct the anatomy of an attack in detail is often impossible. There is therefore a strong case to be made for recording network traffic in a way that allows the reconstruction of a breach even months after the fact.

A network recording capability allows every packet on the network to be recorded at speeds up to 100 Gbps but can also provide multiple security analysis applications access to the same data. This allows deep-dive analysis of reliable network data on demand to support forensic analysis from near-real time to several months in the past.

The Need for Adaptive Security

Gartner recently updated a framework it first suggested in 2014. In Designing an Adaptive Security Architecture for Protection from Advanced Attacks, Gartner concluded that there is an over-reliance on prevention solutions, which are insufficient to protect against advanced attackers. The alternative proposed was an adaptive security architecture based on these capabilities:

• Stopping attacks – Preventive
• Finding attacks that have evaded preventive capabilities –Detective
• Reacting to attacks and perform forensic analysis – Retrospective
• Learning from attacks and industry intelligence to improve capabilities and proactively predict potential new attacks – Predictive

What enables adaptive security is the ability to perform continuous monitoring and analytics, including network monitoring and analysis.

Building the Framework

All these elements taken together form the infrastructure to support an adaptive security framework:

This framework enables organizations to prevent known attacks, detect zero-day threats and detect anomalous behavior. The alerts and information from each solution are correlated and condensed by solutions like security information and event management systems that will enable security teams to quickly focus their attention on the most important threats.

If a breach is detected late, the ability to fully capture and record each packet allows the anatomy of an attack to be recreated, enabling a quick determination of the extent and impact of the breach, as well as the ability to learn and prevent such a breach from happening again.

For a truly adaptive security strategy, prevention and detection solutions must be combined. In this way, organizations get complete network visibility. If they have the ability to record network data, that visibility is not just real-time but stretches back into the past as well for post-breach analysis. VARs that can help steer enterprise customers toward this comprehensive approach will enjoy stronger, higher-value relationships.

About the Author

Daniel Joseph Barry is VP Positioning and Chief Evangelist at Napatech and has over 20 years’ experience in the IT and Telecom industry. Prior to joining Napatech in 2009, Dan Joe was Marketing Director at TPACK, a leading supplier of transport chip solutions to the Telecom sector.  From 2001 to 2005, he was Director of Sales and Business Development at optical component vendor NKT Integration (now Ignis Photonyx) following various positions in product development, business development and product management at Ericsson. Dan Joe joined Ericsson in 1995 from a position in the R&D department of Jutland Telecom (now TDC). He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.