How Can I Reduce Network Security Risk – Part 2
Step 2 – Find and quickly remediate intrusions that are discovered in the network
I recently wrote a blog Find Your Security Vulnerability Before Hackers Find It For You and I wanted to come back and explore all three steps that I outlined in that post in more detail. This blog will examine step 2 of that three-point plan.
Step 2 is about finding intrusions on your network and quickly remediating those issues. The faster you find the problem, the safer you are. This is extremely important as the Ponemon Institute finds every year that it takes way too long to identify breaches on the network. For example, the 2021 Ponemon Institute Cost of A Data Breach report found that it took businesses an average of 287 days to identify and contain a data breach. This is over 2/3 of a year – which is plenty of time for a bad actor to find what they want and then exfiltrate that data.
While part 1 of the plan is to prevent as many intrusions as possible, SOMETHING is going to unfortunately make it past your defenses. Call it Murphy’s law, call it Chaos Theory, call it whatever you want but something unpleasant is going to happen – whether you know it or not. This is when you need threat hunting activities.
However, for any threat hunting tool to be effective, it needs to see ALL of the data. Seeing part(s) of the data isn’t good enough. The tool needs everything, or it will miss intrusions. This is why you need to deploy taps at critical points across your network and then aggregate and filter that content so that your security tools (IDS, DLP, SIEM, etc.) get exactly the right data at the right time so that they properly flag any anomalies or suspicious activities. The tap and packet broker combination give you the visibility you need so that your security tools are as successful as possible.
At the same time, you also need lossless visibility. You don’t want to add just any packet broker. Depending upon their design, some packet brokers drop packets – i.e. they “lose” data. You could be missing up to 60% of your security threats and not even know it.
One fundamental reason is the way data is processed. A popular method is to use a CPU to process higher end data features, like deduplication. However, the CPU can become overloaded and drop packets, or miss certain types of data packets. This is where you need a packet broker that uses FPGA chips to process the data at line rate. This design decision becomes even more important as network speeds transition from 10 GB to 40 and 100 GB. Data loss at these speeds becomes a serious architecture vulnerability. There is a whitepaper here on the importance of lossless visibility or you can watch a video if you want more information on this topic.
Rest assured, Keysight taps, bypass switches and NPBs provide the visibility and confidence you need that you are seeing EVERYTHING in your network - every bit, byte and packet. Once you have this level of visibility, threat hunting tools and security information and event management (SIEM) systems can proactively look for indicators of compromise (IOC). In the third and final part of this blog, I’ll discuss step 3 – how to test your defenses to make sure they are actually detecting and blocking threats.
See for yourself how Keysight’s solutions can significantly enhance your company’s security architecture!