Security approaches need to evolve. Most IT and security pros continue to believe that the best shield against cybercrime involves strengthening a network’s perimeter to keep attackers out and antivirus software for endpoint defense.
The need for new security approaches that improve response time or action has never been more apparent, as threats (unfortunately) arise more quickly than security strategies. Countless worldwide breaches have proven that regardless of financial or human resources, changing our security operations mindset is required to protect critical assets, reduce attacker dwell time and limit risk.
First Wave: Deep Packet Inspection Technology Shift
Intrusion detection/prevention technology first made its mark a decade ago. The security industry considered those systems a viable solution. Its promise of examining the contents of packets and streams at the bit and byte level made it feasible to detect and stop the attacks at the network level.
The protocols then were less complex, and more importantly, many packets were not encrypted. It had become quickly apparent that just a chain of firewall rules was not sufficient to stop an actual attack from propagating in the network or protecting a web, mail or DNS server.
While organizations were scrambling to include intrusion detection/prevention technology into IT strategies, they realized the network perimeter was still well defined. As a result, they realized:
- It was easy to deploy sensors primarily at the network perimeter for inspecting traffic in and out of the network.
- The attacks and their variations against OS and applications could be handled via protocol decoders, regular expressions, and string matching.
- The attacks that required statistical observations, such as sweeps and DDoS across networks, could also be handled at the sensor level.
In addition, further advances in hardware (FPGAs and ASICs) made it possible to create high performing appliances that could block malicious packets and streams without network performance degradation. A new term was soon coined to describe the technology behind these appliances: Deep Packet Inspection (DPI).
Early DPI technology brought on a radical shift in how people architected network security. Over time, other forms of DPI have evolved, such as performing analytics based on metadata obtained from DPI, correlating the DPI metadata to sources of threat intelligence, using DNS data for finding compromised hosts, etc. DPI is still a very popular, first line of security defense for a lot of organizations. The technology has been successfully integrated into fundamental networking components, such as enterprise and home-grade switches, and solutions with 100G+ capacity.
The security world continues to look to next-gen DPI technology to ensure cleaner traffic in the network. There is an ongoing need to update signatures on many of these appliances, as new vulnerabilities are discovered weekly. Threat research teams within organizations continue to study publicly released vulnerabilities and discover many on their own, or with bug bounty programs.
So, why isn’t DPI putting a stop to all breaches? Why isn’t it immediately alerting us of breaches, so the attacker isn’t lurking on the network for over six months (on average) at a time?
To continue reading, view the full article on Information Systems Security.
More from our blog
Despite the rich data provided by SIEMs, organizations find themselves drowning in false positives, making it difficult to focus on high-priority events. This problem of alert fatigue prevents cyber security teams from identifying and addressing real threats – impacting small teams with no SOC, large enterprise teams with a SOC, and MSSPs overseeing the security for many SOCs/customers.Read More »
In 2018, the U.S. Healthcare Industry Remained a Hot Target for Data Breaches. Last year alone, over 15 million patient records were affected with an average of one data breach occurring every 24 hours in the healthcare industry. It goes without saying that hackers and cyber attackers are finding ways around/through/past security defenses—exploiting vulnerabilities and…Read More »
A Brief History of Forensic State Analysis Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network. With virtually unlimited resources and access…Read More »