– Scott Paly, co-founder and CEO for Global DataGuard (www.globaldataguard.com), says:
There has been a lot of buzz recently about ‘big data’ and how it may offer hope in catching cyber-thieves as they attempt to invade a company’s sprawling enterprise network. At the recent RSA conference in San Francisco, analysts commented on why and how they believe a market for security algorithms will emerge in response to the math-intensive analysis needed to spot anomalies in the ‘big data’ world of network security.
Gartner analyst Neil MacDonald pointed out that the ‘bad’ attacker intent on hiding his or her actions is an anomaly to the generally ‘good’ behavior of network users inside the network. These cyber-thieves are getting past traditional defenses, such as intrusion-prevention systems, firewalls, and anti-virus software, in order to infiltrate and steal highly sensitive data. Such attacks are often referred to as an Advanced Persistent Threat (APT), and are driven by hackers who are able to effectively hide their malevolent presence within networks. According to MacDonald, “we just don’t know what ‘goodness’ and ‘badness’ looks like in terms of network activity. You have to know what goodness looks like to understand deviations from goodness.” In his opinion, ‘big data’ offers new possibilities for security analysis, and he believes that security tools will have to evolve in order to meet this need.
Global DataGuard agrees and is already tackling the APT problem by developing new technology to address ‘big data’ analysis and correlation.
A Challenge for IT Management
Every IT department head that I’ve spoken with agrees that the majority of network security technology available today is reactive in nature, and that most enterprise security systems are comprised of loosely integrated or discrete ‘best of breed’ security offerings that focus on various critical aspects of network security but do not have the ability to retain and correlate suspicious traffic for more than a few minutes. What these individuals tell me they need is the ability to detect reconnaissance activity leading up to an attack – before a breach occurs – and they want a historical context and depth of analysis in order to more quickly detect a breach after it occurs.
Global DataGuard’s response has been to develop an architecture-based security system that utilizes network behavior analysis and correlation to enable IT personnel to manage, monitor, analyze, and correlate discrete security events, alerts, logs, and reports into actionable security threats across application subsystems. The goal is to help a company identify and actively respond to what some analysts refer to as ‘bad’ network activity. Combined with newly developed emergent behavior technology – which I’ll discuss in a moment – this type of unified, network behavior analysis-based system can effectively address the ‘big data’ conundrum.
How Emergent Behavior Technology Works in Identifying APTs
For several years, Global DataGuard has used network behavior analysis as a key component of our architecture-based approach to security, enabling IT managers to identify and respond to security threats that other products may not detect, including Advanced Persistent Threats (APTs). APTs are complex systems that mix specialized utilities and human behavior. Hackers understand how systems engineers like to work and use evasion techniques that avoid these common behaviors. For example, systems engineers like to study the behavior of the elements in order to understand the behavior of the system through reconstruction. Unfortunately, this approach doesn’t work when dealing with non-linear (or complex) systems, and the developers of APTs know this and use it to their advantage.
As mentioned earlier, nearly all network security technology is reactive in nature and comprised of disparate applications and appliances. This is why it is virtually impossible to track the type of low-level network activity that occurs over long periods and may be an indicator of an Advanced Persistent Threat. Here is where emergent behavior technology comes in to play. Although APTs are difficult to identify, the theft of data can never be completely invisible. By using emergent behavior technology within a behavioral-based unified security system, IT managers have at their disposal a tool that can more accurately determine very small changes within complex network relationships that may be indicators of an APT.
Global DataGuard’s emergent behavior technology uses advanced pattern matching across distributed systems to examine the network as a whole and identify bit level changes that are unique to each network. In this way, Global DataGuard’s security system can view the entire network as a ‘flow of bits’ that can be used to find unusual or altered operation of lower-level systems that may indicate an APT. This technology provides the capability of overcoming some of the limitations of signature and anomaly detection methods.
A look at the Future of Network Security
Global DataGuard believes that emergent behavior, as part of a unified approach to security, is a technology ‘next step’ for the security industry. We’ve already seen significant performance enhancements within our own network behavior analysis-based UES system, which is capable of performing predictive analysis by retaining and correlating suspicious raw packet data for a rolling 14-30 days and signature alerts and behavioral profiles for six months or longer, based on a customer’s specific requirements.
Because Global DataGuard’s architecture-based security system is both adaptive and predictive, it can provide IT managers and their staff with easier deployment and management of their company’s network security ecosystem, as well as provide greater efficiency in labor and detection ability, while offering lower acquisition costs than discrete security solutions. These products and services, in essence, are designed from the ground up to address compliance-specific requirements related to the integration of processes, technology, service, and reporting. Using a modular approach, they can be customized based on a company’s specific network requirements – from a few security applications to a complete system – providing IT managers and their staff with greater efficiency in labor and detection ability, lower acquisition costs, and easier deployment and management of their network security environment, whether it’s premise-based, virtual, or a cloud/on-premise network.