Tomer Saban is the CEO of WireX Systems, a provider of network intelligence solutions. In this interview he talks about how deep packet inspection helps with identifying emerging threats, the role of network intelligence, and illustrates what the information security industry needs to in the next 5 years to combat highly targeted attacks.
What’s the role of network intelligence in today’s complex security architecture?
Behind the security architecture are the teams who need to operate it. Their work is to manage the solutions installed, to monitor the network activity and to respond to the never ending alerts that keep popping up. Many enterprises invest millions of dollars on deploying best-of-breed solutions, but without an effective process that works, their investment goes in vain.
Today, as the security architecture becomes more complex, so does the process behind it. Security teams have all of these systems, producing countless number of logs and alerts, and yet they still feel blind to what is happening on their network. Log data by itself can raise suspicions, but it’s too vague and is rarely enough to tell the entire story.
Network intelligence is the contextual information required to stream the security process, and even the IT process in general. Using network intelligence, the analysts can finally ask all the hard questions and get fast, simple answers. Instead of correlating huge volumes of logs, network intelligence gives you the precise content and context. Instead of looking at high-level logs, showing HTTP GETs and POSTs, network intelligence aggregates and translates all sessions into a single logical event, so you could easily understand user interactions.
As security teams have quite a few (some will say too many) complex security solutions they need to operate, Network Intelligence must provide simple and clear answers in order to minimize time to detect and respond to today’s threats.
How does deep packet inspection help with identifying emerging threats?
First I would like to talk about the term deep packet inspection which could be confusing when talking about network traffic analysis. There are lots of DPI technologies that parse network traffic and extract metadata from it, and in some cases also simple content such as files and emails. And yet, most DPIs only scratch the surface since the analysis fails to understand how the applications work. This is specifically true for dynamic Web applications environments which do not follow a specific RFC standard. In order to identify and mitigate today’s emerging threats, a more in-depth intelligence is required – we call it contextual layer-8 analysis.
This advanced analysis is about understanding the activities within the application, extracting its content and attaching context to it. When dealing with web traffic, a typical DPI will only recognize the Web application, while the contextual layer-8 analysis identifies important interactions like webmail and social media chats, business transactions, SQL queries, forms and other proprietary applications used over the internal network or the cloud.
This level of visibility and simplicity is critical for today’s cyber landscape. Once the network traffic is fully analyzed, stored and indexed, security teams can finally perform their tasks effectively. Alerts generated by existing security solution (such as next-generation firewall, IPS or SIEM) can be immediately validated and prioritized, and security breaches can be better investigated for root-cause analysis and impact assessment.
Take for instance a security analyst looking into his web security gateway. The URL filtering alerts that a user has accessed a “bad” website, probably hosting malware. A simple query should provide all appearances of this URL in past traffic, together with the actual content. Not only in HTTP gets, but also in social network chats, links inside emails, HTTP referrers and even in HTMLs. This means that within few minutes the analyst could determine if this user was redirected to this site (opportunistic attack), was tricked to press on it (targeted attack), or was communicating with it for no reason – which raises the suspicion it is already infected and communicating externally with its command and control. In such case network intelligence will be used to perform a broader investigation in order to identify possible data exfiltration’s or potential lateral movement within the internal network. You could also tell if other employees in the organization have previously communicated with this URL, maybe even before the URL was known to be malicious.
The bottom line is that security intelligence is essential in order to stream the entire security process.
We live in the age of highly targeted attacks. Where do you see the information security industry focusing in the next 5 years to tackle this sophisticated threat?
The security landscape is huge and changing rapidly so I expect to see many changes in the coming 5 years. I will mention two of today’s traditional approaches that failed and how I expect them to change:
Log data is not enough: SIEM approach is indeed valuable but collecting logs and correlating them is still not enough in order to tell the whole story (not to mention that collecting the logs from all over the network is in itself a never ending task). I believe that we will see a consolidation of SIEM solutions and network intelligence solutions into a single unified platform that will truly have 360 degrees visibility.
Point-in-time detection is not enough: Today’s solutions are point-in-time products. If a threat passed your security solution – you have been breached and it may take you months to before you realize it. Considering the fact that perimeter defenses are constantly punched (BYOD, cloud apps and the Internet of Things), I expect to see a shift towards continues, post-detection solutions that go along with incident response routines. Contextual layer-8 analysis with long term retention will be the core technology for post infection capabilities. So if today we know about a new threat, whether it’s a malicious link in a targeted email or a virus, we will be able to re-scan past traffic, identify the compromised assets and prevent them from further spreading in our network.