This past week I was at the Juniper Partner Conference in Miami, where I sat through a number of talks and seminars. One of the sessions was about network security, and while taking notes, I tried to imagine what the future of network security should look like. So many organizations have routers, firewalls, anti-malware devices, IPS, wireless, network and endpoints – all from a variety of manufacturers. The key piece to note is they don’t really talk to each other to “share” what they are seeing on the network.
From the sessions I attended, I learned that large Fortune 100 companies spend upwards of 45% of their annual IT budgets on the operational maintenance, subscriptions, care and feeding of these elements in their networks. In many cases, logs or alerts from these devices are not proactively monitored or they go un-actioned in many organizations (e.g. Target security breach in Nov. 2013), which effectively makes them useless. A three-year study by Verizon Enterprise Solutions found that companies discover breaches through their own monitoring in only 31 percent of cases. For retailers, it’s 5 percent.
In the future, various elements of a network have to talk to each other.
There needs to be a “Security Back channel” that firewalls, IPS, malware, anti-spam, load balancers, routers, wireless controllers, switches and end points all use to talk to each other using a standard protocol that is vendor agnostic.
Let me provide an example. If a connection request to Amazon.ca is coming from Vietnam, the router (using reverse Geo IP lookup) is the first to see it and should raise a yellow flag on the security back channel. Now the firewall looks at it already knowing this is a suspect connection since 95% of requests come from a Canadian IP address. This may in itself trigger the Vietnamese connection to go through a more rigorous inspection (kind of like going through a pat-down at the airport with a sniffer dog giving you a once over at the end).
If the connection passes the “sniff test” the load balancer gets the packet already knowing it is flagged as high risk. Again, the load balancer breaks apart the packet and ensures the payload is constructed exactly as anticipated for Amazon’s specific type of Web front end application.
If at any time, any of the network elements along the kill chain determines the connection from Vietnam is malicious in nature, it notifies all other network elements to kill the connection. Simply sending a notice to a SIEM (Security Information and Event Monitor) console and waiting for a human to interpret and act on it is not an option (ask Target). The network elements all have to talk to one another and share their inspection information so the network can act and respond as a single element.
The example above stops at the Amazon Web server, but network switches and even endpoint devices must have the intelligence to be part of the kill chain that detects, notifies and reacts to malicious connections. Switches must be able to monitor and record “normal” behaviour for each node connected to them. Should a switch detect a ping sweep or other non-characteristic behavior from a particular node, it should be able to shut it down and notify all other network elements to beware of this node.
As I see it, the only way corporations will be able to keep ahead of the ever-improving security threats is if all network elements work together and “behave” as a single element when it comes to security. Unfortunately this cooperation among vendors does not exist today but hopefully one or more of the larger players will start the development of such an initiative, the security of our information relies on it.