Ignoring the people who think that anti-virus software is the end game when it comes to security, when many people think of protecting their border they think of a firewall. They can create rules to permit and/or block certain traffic that enters and leaves their network. Climbing up the ladder of the technologically savvy you may find individuals who understand that a firewall is not enough to protect their network so they implement an intrusion detection system (IDS). While they are getting closer to an effective solution, there is a better technology already broaching the mainstream.
Let’s start with what’s wrong with what we are using today.
Firewalls are still useful and definitely necessary. They are your first line of defense. A properly configured and managed firewall will keep out a large percentage of the chatty, low-level threats that exist on the Internet today. However, you still need to let legitimate traffic in and out of your network. It’s through these legitimate ports and protocols that modern attacks enter and wreak havoc. The traditional firewall is unable to effectively differentiate the good from the bad.
Intrusion detection systems are the next step up in the security ladder. An updated and fine-tuned IDS will create good alerts for your security analysts to review. The problem with an IDS is in how it presents it’s findings. By its nature, the IDS will generate alerts for any traffic that may be malicious. Unfortunately, it is riddled with false-positives. It takes an army of security analysts to do a proper job of handling the events. Those analysts must spend a lot of time triaging alerts manually. Fatigue and apathy are very real outcroppings of this method. It can be difficult enough to spot malicious traffic under ideal circumstances. With dulled faculties from dealing with a stream of false-positives, effectiveness plummets. Additionally, these systems’ rulesets need to be constantly updated to detect the latest malware… and this technology still can’t stop zero-day attacks.
What else can you do?
Threat intelligence and sandboxing are the next-generation security operations technologies that are the most effective — and they are available now. Companies that offer these products and services gather intelligence on the who, what and how malware operates. From there, they analyze every file that enters your network in a sandboxed environment. These environments are simulators that test and execute all inbound and outbound files on thousands of permutations of operating systems and application versions to let you know if the file may be malicious or not. Using their threat analytics and behavioral analysis capabilities, these systems provide actionable alerts with a super-low (under 1%) false-positive rate and readable reports to present to management. They allow you to be definitively more secure with less staff and operate at a higher rate of efficiency across the board.
What’s next?
There are lots of theories about what the future holds for our industry’s “best practices”.
- Machine Learning can be applied to help understand user normal behavior to weed out the nefarious.
- Big Data can help us sift through mountains of noise to find the signal.
- Analytics can cut across detection platforms and output data presentable and actionable to those of us who aren’t card carrying members of the pocket-protector brigade (sorry, math majors).
The common thread is the seemingly unattainable goal of automating security practices to separate the normal from the abnormal automatically. Allowing us to do more with less is a natural evolution of the industry that must happen for us to truly become secure. For now, the best we can do as security professionals is keep our eye on the goal of data protection and use the best tools at our disposal as they become available and build multiple layers of defense.
