The Evolution of Cybersecurity and the Rise of Threat Hunting


As featured in Information Systems Security

Security approaches need to evolve. Most IT and security pros continue to believe that the best shield against cybercrime involves strengthening a network's perimeter to keep attackers out and antivirus software for endpoint defense.

The need for new security approaches that improve response time or action has never been more apparent, as threats (unfortunately) arise more quickly than security strategies. Countless worldwide breaches have proven that regardless of financial or human resources, changing our security operations mindset is required to protect critical assets, reduce attacker dwell time and limit risk.

First Wave: Deep Packet Inspection Technology Shift

Intrusion detection/prevention technology first made its mark a decade ago. The security industry considered those systems a viable solution. Its promise of examining the contents of packets and streams at the bit and byte level made it feasible to detect and stop the attacks at the network level.

The protocols then were less complex, and more importantly, many packets were not encrypted. It had become quickly apparent that just a chain of firewall rules was not sufficient to stop an actual attack from propagating in the network, or protecting a web, mail or DNS server.

While organizations were scrambling to include intrusion detection/prevention technology into IT strategies, they realized the network perimeter was still well defined. As a result, they realized:

  • It was easy to deploy sensors primarily at the network perimeter for inspecting traffic in and out of the network.
  • The attacks and their variations against OS and applications could be handled via protocol decoders, regular expressions and string matching.
  • The attacks that required statistical observations, such as sweeps and DDoS across networks, could also be handled at the sensor level.

In addition, further advances in hardware (FPGAs and ASICs) made it possible to create high performing appliances that could block malicious packets and streams without network performance degradation. A new term was soon coined to describe the technology behind these appliances: Deep Packet Inspection (DPI).

Early DPI technology brought on a radical shift in how people architected network security. Over time, other forms of DPI have evolved, such as performing analytics based on metadata obtained from DPI, correlating the DPI metadata to sources of threat intelligence, using DNS data for finding compromised hosts, etc. DPI is still a very popular, first line of security defense for a lot of organizations. The technology has been successfully integrated into fundamental networking components, such as enterprise and home-grade switches, and solutions with 100G+ capacity.

The security world continues to look to next-gen DPI technology to ensure cleaner traffic in the network. There is an ongoing need to update signatures on many of these appliances, as new vulnerabilities are discovered weekly. Threat research teams within organizations continue to study publicly released vulnerabilities and discover many on their own, or with bug bounty programs.

So, why isn't DPI putting a stop to all breaches? Why isn't it immediately alerting us of breaches, so the attacker isn't lurking on the network for over six months (on average) at a time?

To continue reading, view the full article on Information Systems Security.