Defending business networks isn’t getting any easier. Companies can have the latest, greatest perimeter defenses, intrusion detection systems and endpoint protections – and attackers will still get through. Just ask Equifax or Capital One.
An emerging approach, called Network Traffic Analysis, is gaining traction as, in effect, a catch-all network security framework positioned at the highest layer of the networking stack. Heavyweights Cisco and FireEye are playing in this space. And so are a couple of dozen other vendors, many of them extending over from the network performance monitoring arena.
I had a lively discussion at RSA 2020 with one of these vendors, Accedian, a 15-year-old company based in Montreal, Canada. For a full drill down on my discussion with Michael Rezek, Accedian’s vice president of business development and cybersecurity strategy, give a listen to the accompanying podcast. Here are excerpts of my interview with Rezek, edited for clarity and length.
LW: How would you frame the security challenge companies are facing today?
Rezek: IT infrastructure today is more distributed than it has ever been, whether it’s Platform as a Service, Infrastructure as a Service, or cloud, multi-cloud, or hybrid cloud. This distribution of IT assets creates far more network dependencies than it ever has before.
And applications, themselves, are being delivered in a complex, multi-tier fashion. So I may have a frontend web-tier server in one location, a backend database server in another location and application-tier server in yet another location, all hitting DNS servers.
So you now have all of these new attack vectors emerging, as well. It becomes a challenge to put eyeballs everywhere, to see the various types of threats, attacks and suspicious behavior hitting your network.
LW: Not to mention there’s even more complexity on the immediate horizon.
Rezek: Absolutely. One of the benefits of 5G and IoT, for instance, is hyper connectivity. You’ll have devices talking to devices, devices talking to machines and humans talking to machines and devices. All those connections need to be captured, and this creates attack vectors. I hear stories all the time of somebody turning on a new IoT device, a bulb, and all of a sudden they see a new encrypted tunnel set up and establish a connection to a rogue IP address to literally start to try to do command and control.
LW: 5G only rolled out very recently. Are you seeing actual threats in the wild?
Rezek: Yes. 5G is the connection component to the network. People are using the network to tunnel through to the assets. We’re monitoring the traffic and looking at the behaviors on the wire, because we have visibility all the way up the stack to the top protocols. We put eyeballs on the traffic and we do network traffic analysis, and then we’re able to render the threats.
LW: So you’re looking at traffic that’s made it through the firewall and intrusion detection?
Rezek: It’s what gets past the security gateways — and what you can’t instrument with endpoint security . . . If you think about it, how do you put an agent on an IoT device or a BYOD device or an industrial control? You can’t, really. But within the network, every attack has to hit the wire, at some point. And that’s really where our strength is: the ability to put eyeballs everywhere and see all of that activity.
LW: How does this fit with cloud-based, hybrid networks?
Rezek: That’s our sweet spot. Our customers are struggling to get visibility, and it’s always some sort of virtual attack surface that’s a concern. They could pull packets out of the cloud, but it’s cost-prohibitive. We look at traffic that’s moving on the wire, anyway. We look at traffic moving east to west and north to south, between virtual private clouds, from this cloud to that cloud and between private data centers and the public cloud.
LW: What about the whole DevOps and DevSecOps side of the house?
Rezek: Applications are getting refactored continuously, and every time you refactor there could be some sort of vulnerability. We’re not so much protecting the application during development; we’re monitoring the threats that are leveraging the protocols that deliver the application – we’re looking at that attack vector.
LW: So what are you seeing?
Rezek: We see a lot of vulnerability probing, people looking for open ports; we see basic SQL injection attacks; we see command and control tunnels, which we pick up through TLS/HTTPS. The attackers are trying to get their hands on files and exfiltrate data. A lot of times you’ll see an attacker come in, do a vulnerability scan on the ports, establish an encrypted tunnel, connect to a server and then start to exfiltrate files.
LW: Is this going to be supplemental way to defend networks, going forward?
Rezek: If you think about monitoring your environment, there’s perimeter protection, there’s protection for inside the perimeter, for the attacks that get through, and then there’s endpoint protection. We’re going to be part of an ecosystem that evolves with a variety of tools. We’ll play our role to really put eyeballs in all the places that you can’t get to.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/qa-accedians-michael-rezek-on-using-network-traffic-analysis-to-defend-hybrid-networks/