As Breaches Become a Certainty, More Cyber Defense Focus Is Required Inside the Network

The composition of the hacker community has changed dramatically. A new generation of well-financed and technically expert bad actors has become highly proficient at breaching perimeter defenses.  According to one recent study, 90% of larger organizations in the UK have had a data breach.  And the percentage of companies breached in the US and elsewhere is quite similar, based on anecdotal information and other surveys.  Not only are the breaches often successful, but a larger problem is how long it takes to actually identify that a breach has occurred.  A Ponemon study shows that it takes an average of 256 days to identify that a breach has taken place.  The conclusion is unavoidable: breaches must be treated as a near certainty, even for organizations that believe they have a highly effective perimeter security strategy.
What’s more, both the number of “bad actors” and the severity of new threats are increasing.  There are two vectors causing this.
The first is that criminal insiders are now thought to be responsible for 55% of attacks, based on a recent study by IBM.  Essentially, the people who are supposed to be “trustworthy” and who have access to your systems behind the firewall are the ones instigating the breaches.  No perimeter defense can be truly effective in stopping this kind of threat.  Only intelligence and visibility inside the network can identify these events.
Second, hackers are constantly creating cleverer exploits designed to breach your cyber defenses.  For example, research has identified eight specific hacker groups that are known to be using advanced persistent threats (APTs) to breach defenses, and they are constantly releasing new malware to penetrate their targets’ cyber security.  There is also an increasing use of socially engineered attacks that take advantage of publicly available information from social media to create more tempting phishing attacks and even spoofing emails from “friends” or trusted parties.  These attacks are very hard to defend against as they use the credentials gained by compromising their target, and their IT privileges, to introduce malware inside the firewall. 
With Breaches a Certainty, Inside Network Protection is a Requirement
Any responsible SecOps professional understands that, if perimeter breaches are a reality, then improving the cyber threat protection inside the network to quickly identify and remediate any malware is where the focus should be.  Clearly, the legacy approach of “building bigger walls” only leaves the organization vulnerable.
The good news is that while there are literally hundreds of approaches to breaching the perimeter, once inside the firewall, nearly all malware behaves in a fairly consistent manner, making it easier to spot.  Common activities include permission enhancement, backdoor access, lateral movement, data gathering, and data exfiltration.  This makes spotting active malware simpler since specific network activity can be used to identify a breach.  For example, if a specific piece of code is quickly propagating across all servers in East/West traffic, this may be evidence of the lateral movement stage.  Another scenario may involve the movement of large amounts of data outside of the organization to an unusual or unknown IP address. 
To protect the organization, the inside network security architecture must support a number of capabilities, including:

• Complete traffic visibility – To effectively find malware, visibility for all traffic is necessary.  Sampling traffic has drawbacks, most specifically missing malware if it is not part of the sample.
• Consistent deployment – Malware may spread quickly or enter from different points in the network if backdoor access is accomplished.  To combat this scenario, a consistent method of deploying a comprehensive inside network security platform is necessary.  This should include all of the security solutions and appliances necessary for complete protection.
• Security for both physical and virtual infrastructure – As the impact of virtualization and cloud increases, the security solution must be able to monitor and provide visibility for all traffic, including East/West virtual traffic between servers.  Security solutions tied to physical networks are not as effective.
• Optimization of the security infrastructure – Every security appliance or solution is limited in how much traffic can be analyzed.  Sending unnecessary traffic wastes this bandwidth.  Further, adding the overhead of decryption and re-encryption for protected data streams also limits the effective use of these appliances.  Optimizing these solutions by delivering only the appropriate traffic is mandated.  

How Gigamon’s Security Delivery Platform Solves the Problem
The Security Delivery Platform (SDP) provides a single, comprehensive security architecture that enables you to consistently deploy and effectively use security solutions and appliances and empower them with full traffic visibility.  Ensuring full traffic visibility and monitoring enables the SecOps team to better identify malware more quickly.  The SDP ensures the optimal use of all security solutions and dramatically reduces the complexity and costs for providing protection for inside networks.
The SDP delivers six primary capabilities that form the basis for next-generation security architecture.  These include:

1. Full traffic visibility for both physical and virtual environments to provide full protection even as workloads and applications become more mobile.
2. SSL decryption and re-encryption is done by the SDP to remove that overhead from security appliances and improve service levels.
3. Identify where specific security appliances and solutions should be located to optimize their use and meet demands from virtual and cloud infrastructure.
4. Deliver only the appropriate traffic to each security solution to ensure that they are not overwhelmed with traffic and are used in the most efficient manner possible.
5. Generate unsampled Netflow/IPFIX metadata for better analytics and to improve forensic capability.
6. Support for both inline and out-of-band network security deployments with the same platform, with resource pooling and the ability to remove failed appliances from use.  

The Gigamon SDP provides a security architecture that meets the present and future demands for cyber security as the focus of protection moves from just protecting the perimeter to also securing the inside network.  This approach simplifies many operational aspects of network security while optimizing costs and budgets by improving the efficiency of your security solutions.