Breach Detection Is All In The Communication

It seems today, it’s no longer a question of if you will be breached, but when. Despite the best efforts of traditional perimeter, network and endpoint security defenses, breaches have continued – and will continue – to occur.

Why? Cyber-attacks are growing increasingly sophisticated and elusive. Attackers are slowing down their activities to hide exfiltration in the noise of normal traffic. This has translated into data breaches going undetected for more than 200 days (Verizon Data Breach Report), and 69% of breached organizations finding out they were breached from outside their organization (Mandiant M-Trends 2015).

We are getting smarter about security every day, and while that knowledge is helping us stop the known attacks, it doesn’t account for the breaches that went undetected. The problem is an over-reliance on the preventative security model.

Everyone wants prevention, but it’s become abundantly clear that prevention alone is not enough. This is shifting the conversation away from prevention tools and is propelling an explosion of new and existing cybersecurity companies to focus on more rapid “detection” of threats after they pass through perimeter defenses.

One might argue: “Who cares if they get in, just don’t let them back out.”  The struggle here is the inside of a network is deemed trusted and the outside is not – but not anymore.

The Network is a Breach Lifeline

If we examine how breaches behave today, we find that the network is the common denominator. Attackers are after proprietary information, intellectual property and secrets that are unique to the organization. To gain access to that data, the attackers are trying to figure out: “How do I get onto the network,” which can be done through human engineering, phishing, and capitalizing on unpatched systems and security vulnerabilities.

But the next act is to get the information out, and the most common way that is happening is over the network. According to David Monahan, research director for EMA, “The network has become a focal point for understanding data breach behavior as attacks remain elusive and go undetected for hundreds of days.”

Networks contain vast amounts of information. Even simple residential networks carry hundreds of connections to Internet servers transferring millions of packets as users browse websites, check email, stream multimedia, post to social media, make VoIP calls, and engage in a multitude of other online activities. Add to this the explosion of Internet-of-things (IoT) devices such as thermostats and smart TVs, and the number of attack vectors multiplies.

By closely examining network communications and extracting intelligence from network packets, we can now unlock the elusive behaviors of data breaches that evade our traditional preventative security measures.

Extracting High-Definition Records from Packets

High-definition records (HDRs) represent a break-through in how we do breach detection today by extracting a level of unprecedented detail about network sessions. Unlike legacy methods of examining network traffic, such as NetFlow, HDRs include information about what is happening on the network at the transaction level, the flow level and the session level.

NetFlow records, on the other hand, only represent flow information with IP addresses, which are constantly changing in a world of applications that tunnel over HTTP. This is insufficient information for behavioral analysis of breach activity.

With an added layer of application metadata, network data and flow statistics are supplemented with rich layer 7 information that provides granular visibility into network communications. HDRs also improve the efficacy of breach detection by binding the information to users, devices, and network entities, which helps to pinpoint anomalous network and application behavior.

Improving Breach Detection

So how can this enhanced information about communications help detect a threat?

Consider this example: a user checking email, where a connection is established between the client application and the mail server. On the server is an email waiting to be downloaded. This particular email happens to be a phishing attack, but when it is delivered, no one knew it was malicious. Using a next-generation breach detection solution, the event details and URL are stored.

Here’s how it works. The moment the malicious email entered the network and landed on the mail server – hours before the user checked his email – a breach detection software sensor, deployed passively at an Internet egress point, processes a high-definition record containing metadata that identifies the phishing site. The attachment’s MD5 hash value is recorded.

Now, the current model is to check the URL and attachment against a known bad list, right now as it is happening in time. For that use case, everything is okay.  However, tomorrow, or next month, or next year, when that URL or attachment is detected as malicious, it will be too late. Or will it?

A new generation of breach detection software can take in the latest threat intelligence automatically and constantly match it against the history of HDRs, and as new learnings and threat discoveries occur.  As a secondary level, similar to seeing a known bad actor on the street, this new model of breach detection will look for further actions that make it obvious that someone needs to be called to investigate.

Conclusion

By extracting high-definition records from network packets, enterprises can gain valuable insight into network flow behavior to quickly detect and remediate network breaches. Session awareness, enhanced flow statistics, application visibility, and identity enrichment are key features that that separate HDR data from other types of flow records.

Regardless of the type of systems you have, organizations need to turn inwards and, somewhat down, to dig into the network communications that are flowing within their organization in order to reduce data breach “dwell time,” and to more quickly pinpoint a previously unknown compromised device. From the digital thermometer, to the server, every connected device has a voice and a method to getting data from one point to another, and network communications are the key to unlocking the unknown breach behaviors.

About Faizel Lakhani
Faizel LakhaniFaizel has extensive experience in data security, network security, switching, routing, and Voice over IP technologies in both enterprise and service provider markets. Prior to SS8, Faizel was the vice president of Data Loss Prevention at McAfee, where he was responsible for the DLP business worldwide. Faizel joined McAfee through the acquisition of Reconnex, where he was the vice president of products and marketing. Prior to Reconnex, Faizel held executive leadership roles in product and marketing at ConSentry, Caspian Networks and Nortel Networks. Faizel holds an MBA from The University of Ottawa, an MS in Engineering from Carleton University, and a BS in Engineering from McMaster University.

In this article