Monitoring your internal network with intelligent firewalls


24 January 2016
Francis Teo of Hillstone Networks

As each year passes, new and more complex cyber security threats loom in the horizon and organisations must continue to look into more innovative strategies and solutions to keep up with cybercriminals and stay protected. The pervasiveness of mobile technology and the growing adoption of wearables and smart devices have led to easier access to networks and applications, making them more vulnerable to risk.

This is set to continue as we go into 2016, as it is now increasingly easy for attackers to conduct a security breach due to the increasing sophistication of IT security threats. Security products need to be prepared to address such evolving risks, along with the increased variety in attack threats and avenues while factoring in agility, and the ability to adapt to different security situations that may arise.

Today, the average cost of each intrusion incident stands at $3.8 million, and it will only continue to rise with the widespread usage of big data as companies collect and generate more information each day. When it comes to cyber security and company networks, prevention is certainly better than cure. The implementation of a security solution is no guarantee that a company is protected, as not all solutions are effective in protecting the organisation on all fronts. This is evident from examples of high profile companies in recent years such as Sony Pictures Entertainment and Ashley Madison, who despite their security policies, experienced security breaches. This illustrates the active and ever evolving nature of security threats lurking on the internal networks of companies.

In fact, many of the biggest breaches in history have gone undetected for a significant period of time. In fact, it is external parties instead of companies themselves that discover 75 per cent of breaches. On average, a network is breached in hours, but the average time taken for a breach to be detected is roughly 200 days.
This is why collaboration between the network and endpoint is crucial to achieve competent security for organisations. Both external and internal threats must be given equal importance in a holistic approach toward dealing with threats.

In recent years, there has been a shift towards “monitoring”, and a more holistic approach to network security. Firewalls alone can detect and prevent external threats, but if a threat slips through, it renders a firewall completely obsolete.

There are many proactive technology segments that take care of post breach and internal network monitoring functions and here are some latest technologies that can companies can consider:

Micro Segmentation

The newer kid on the block, this offers a new dimension of network security, providing organisations with visibility into east-west or lateral traffic. It utilises zero trust on security, permitting communication from trusted sources, thus enabling a more agile data centre that is quick to identify breaches and isolate them. The multiple layers of security also slow down attacks, giving administrators more lead-time to deal with threats.

Micro-segmentation is critical in ensuring security in the cloud. It addresses the gaps in visibility and control of traffic at the virtual machine level.

Network Behavioural Analysis

The next generation of security needs to “identify attacks as they are happening”. This is where behavioural analysis can step in and be used as a real-time security defence tool. Today, companies are effective at identifying attack patterns but they are not sophisticated enough to convert their threat correlation analytics into actionable events, such as creating dynamic policies to quarantine a suspicious internal host, or creating a firewall policy to block access to a destination IP and a specific application.

Network Behavioural Analysis enables the continuous monitoring of traffic so that network risk can be tracked in real time. Using an established benchmark for normal traffic, it flags and deals with any abnormalities in user and application behaviour within the network, spotting zero day attacks and malware.

Statistical Clustering

Instead of searching for explicit signatures, it analyses the behaviour of malware and looks for recurring combinations of actions that are strongly related to known malware. When a close match is detected the system will send an alert and provide a complete description of the malware, including packet captures. It also provides a confidence level and a severity level so that the administrator can take remedial action.

At the end of the day, however sophisticated the technology, organisations should always be looking at a holistic product and internal network products should complement existing technology to create an agile, active and complete security strategy that not only protects a network, but also proactively seeks out and eliminates threats. This ensures every single layer and virtual machine within a network is covered and security breaches get identified as quickly as possible.

Francis Teo is regional director of Southeast Asia, Hillstone Networks.