Seeing Through the Clouds
Published 11/20/2013
By TK Keanini, CTO, Lancope
The economics of cyber-attacks have changed over the years. Fifteen years ago, it was all about network penetration, but today advanced attackers are more concerned about being detected. Similarly, good bank robbers are concerned about breaking into the bank, but great bank robbers have mastered how to get out of the bank without any detection.
Virtualization Skews Visibility
Because virtual-machine-to-virtual-machine (VM2VM) communications inside a physical server cannot be monitored by traditional network and security devices, the cloud can potentially give attackers more places to hide. Network and security professionals need to be asking themselves what cost-effective telemetry can be put in the cloud and across all of their networks such that the advanced persistent threat can’t escape detection.
The answer, I believe, lies in flow-based standards like NetFlow and IPFIX. Originally developed by Cisco, NetFlow is a family of standard protocols spoken by a wide variety of popular network equipment. IPFIX is a similar standard that was created by the Internet Engineering Task Force (IETF) and is based on NetFlow Version 9. These standards provide the most feasible, pervasive and trusted ledger of network activity for raising operational visibility across both physical and virtual environments.
Regaining Cloud Control
Regaining control of the cloud starts with basic awareness. Security teams need to know what applications, data and workloads are moving into cloud environments, where that data resides at any particular time, who is accessing that data and from where. They need this information in real time, and they need historical records, so that in the event that a breach is suspected it is possible to reconstruct what happened in the past. The recipe for success here is simple: leverage NetFlow or IPFIX from all of your routers, switches, firewalls and wireless access points to obtain a complete picture of everything happening across your network.
Flow-based standards like NetFlow and IPFIX provide details of every conversation taking place on the network. Some people think they need full packet capture of everything traveling on the network, and while that would be nice, it simply cannot scale. However, the metadata of that same traffic flow, as provided via NetFlow and IPFIX, does scale quite well and if need be, you can make the decision to also ‘tap’ a flow of interest to gather further intelligence.
Selecting a Monitoring Solution
By collecting and analyzing flow data, organizations can cost-effectively regain the internal visibility needed to detect and respond to advanced attacks across large, distributed networks and cloud environments. However, not all flow collection and analysis systems are created equal. It is important to determine the following when selecting a security monitoring solution for your physical and virtualized network and/or private cloud:
- Does the solution indeed provide visibility into virtual environments? (Some can only monitor physical infrastructure.)
- Are you getting an unsampled NetFlow or IPFIX feed? (Sampled flow data does not provide a complete picture of network activity.)
- Does the solution conduct in-depth analysis of the flow data? Is the intelligence it supplies immediately actionable?
- Does the solution deliver additional layers of visibility including application awareness and user identity monitoring, which can be critical for finding attackers within the network?
- Does the solution allow for long-term flow storage to support forensic investigations?
It is also important to conduct similar due diligence on the security technologies and practices used by various providers if you decide to outsource your IT services to the public cloud.
Thwarting Advanced Attacks
As the CTO of Lancope, it is my goal to ensure that the bad guys cannot persist on your networks. No matter which stage you are in with your cloud strategy –whether virtualizing your infrastructure, or using a public or private cloud – the collection and analysis of existing flow data can dramatically enhance your security. When every router/switch/wireless access point/firewall is reporting unsampled flow records, and you are able to synthesize that data into actionable intelligence, there is just nowhere for the adversary to hide.
For more details on NetFlow for security, check out the Lancope blog or follow me on Twitter @tkeanini.
TK Keanini is a Certified Information Systems Security Professional (CISSP) who brings nearly 25 years of network and security experience to his role of CTO at Lancope. He is responsible for leading Lancope’s evolution toward integrating security solutions with private and public cloud-based computing platforms.