Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Latest network security threats prompt one question: ‘Are we next?'

After the latest wave of attacks, including the most recent on Sony, network security pros are losing sleep. Can new platforms stop today's network security threats?

This article can also be found in the Premium Editorial Download: Information Security magazine: Insider Edition: Advanced security monitoring scrubs networks clean

It takes only a cursory glance at the news to realize that malware, data breaches and other information security threats have expanded exponentially in the last three to five years. Hardly a week goes by before another high-profile, multimillion-dollar hacking incident goes public. Take your pick: Target, eBay, Home Depot, JPMorgan Chase, Sony, and even the U.S. Postal Service. The list goes on.

And while cyberattacks rarely target network devices, vulnerable networks are regularly exploited by cybercriminals during these incidents to transport malicious traffic or stolen data. Behind the scenes are the IT pros who must grapple with government-sponsored hacks from countries such as China, Iran, North Korea and, lately, Russia, in addition to for-profit hackers with ties to organized crime and, yes, people who decide to break into a network just because they can. It's an environment that has propelled networking and security teams to work closer together so they can answer a seemingly basic question with more certainty: Is the network safe?

Ron Grohman, a senior network engineer at Bush Brothers and Company, makers of the popular Bush's Best baked beans in Knoxville, Tenn., says faced with all of the recent threats and attacks, he's not taking any chances.

That's why he doesn't rely on just one security product to protect the company from network security threats. Grohman uses a mix of Cisco ASA 5525-X firewalls with the Sourcefire URL filter, FireEye's Web Malware Protection System (MPS) 1310 to look for suspicious malware and Symantec antivirus software as a final backup.

Grohman says he uses the products from Cisco and Sourcefire -- which Cisco acquired in 2013 -- mainly as a firewall and URL filter to manage Web traffic. The FireEye product was placed on the network to do anomaly-based detections. If the FireEye platform detects suspicious malware, the software blocks the malware and sends an alert to Grohman, who refers the incident to a member of the help desk, where the malware is removed. The Symantec software catches HTTPS traffic and serves as a last line of defense before anything reaches the endpoint.

"I double- and triple-up," he says. "No one product is perfect, and I'm OK with multiple systems checking things, especially if it's going to protect the network."

At a Fortune 500 company, there might be dozens of networking and security personnel who are cross-trained in each other's disciplines and work jointly on network security. Not so at Bush Brothers, a private medium-sized company. Grohman works as one of eight members of the infrastructure team -- and he's the only one with security credentials. To augment his background in networking, he completed the CISSP course from ISC2 last fall, and he earned the Cisco Certified Network Professional certification last spring. Grohman also earned a degree in information security several years ago from ITT Tech.

One pixelThe new network security architecture
Shackleford 2014

"All the security work falls on me," he says. "People would come to me and ask if the network was secure, and all I could say was, ‘I think so,'" he says. "It bothered me that I didn't know for sure if everything was safe. So that's why we added all those extra layers."

That kind of uneasiness is common among network and security managers today. But it's also an approach that Frank Dickson, research director for information and network security at Frost & Sullivan, says is understandable.

"There's really no single silver bullet," he says. "No matter what the vendors say, malware will inevitably get through. Remember, a zero-day attack, by definition, exploits an unknown vulnerability. Defending oneself from the unknown is challenging. "

Dickson says there's definitely been a shift in the security landscape away from solely relying on traditional antivirus software, which would look to create signatures of previously undiscovered malware after a breach had been detected. Today, products such as SourceFire from Cisco, FireEye, and Palo Alto Networks' WildFire and Traps tools take a much more proactive approach.

"The industry is moving to the use of more behavior-based approaches, such as testing the behavior of suspicious files in a quarantined, virtualized environment or utilizing big data analytics to monitor network traffic to establish a baseline and look for significant anomalies," Dickson explains.

Protection versus prevention

Conventional wisdom and the sheer reality of today's network security threats may dictate an approach like the one used at Bush Brothers. But Golan Ben-Oni, chief information security officer at telecom, banking and energy company IDT Corporation in Newark, N.J., doesn't buy it. He says there has to be more of a focus on stopping the bad guys, not merely responding to attacks after the fact. The industry has been caught in a mode of believing that it's only a matter of "when" they will be hacked, he contends, as opposed to "if" they will be hacked. Ben-Oni says that's defeatist.

It bothered me that I didn't know for sure if everything was safe. So that's why we added all those extra layers.
Ron GrohmanSenior Network Engineer

"If you say we're giving up on prevention, you're then essentially saying you've given up," he says.

IDT uses a combination of three products from Palo Alto to protect its network: WildFire network detection software; Traps, which Palo acquired from Israel-based Cyvera last year for endpoint protection; and Global Protect, which lets IDT extend the benefits of WildFire and Traps to mobile devices and computers that leave the office.

Here's how they work in concert at IDT: Traps is always on the lookout for malware on the endpoint. If Traps detects that a zero-day attack or some other anomaly has entered the network, it will communicate that to WildFire, which will then run an analysis. Once it confirms that the activity is in fact malware, WildFire will block and remediate the malware. WildFire adds another level of protection in that once it detects malware, both the endpoint and the network (via the Palo Alto firewall) are protected. The network will not allow the malicious traffic to flow through, and if the file should be introduced by some other means -- for example, via a USB flash drive or local file copies -- Traps will block its execution.

In the past, Ben-Oni says, by the time the IT staffers detected malware, disconnected the computer from the network and uploaded the file to the antivirus lab, it could take 24 hours for them to write a signature. IT teams don't have that kind of time today.

"Traditionally, all of this was done manually and now it happens in near real-time," Ben-Oni says. By avoiding the need to bring people into the process, the risk of lateral infection is greatly reduced, he explains. Hackers use automation, so the only way for companies to level the playing field is to also use automation, Ben-Oni adds.

That's a really important point, says Dan Polly, enterprise information security officer at Cincinnati-based First Financial Bank, which operates more than 100 banking locations in Indiana, Kentucky and Ohio.

First Financial uses Cisco Advanced Malware Protection (AMP) for endpoints and the network, which lets the company do rapid-fire malware analysis. If AMP detects malware, it pushes the suspect file into a portal, which acts as a sandbox in which the software runs an analysis to determine the extent of the threat.

"The thing to remember is that before these tools were available, you would need someone to analyze that malware in-depth, which required a person with some extensive programming and security skills," Polly explains. "Now, we're able to automate some of that, which saves time and gives us the ability to block the threat much faster."

Much like IDT's Ben-Oni, Polly sees a great benefit to working with a single vendor that offers multiple capabilities. Along with the AMP product, the company's security engineering team uses a combination of Cisco ASA and Sourcefire next-generation firewalls, which he says not only perform traditional firewall functions, but also support intrusion detection and prevention and URL content filtering. Polly also likes that through development and acquisition, Cisco has invested in Talos, the company's security intelligence and research group. Talos fields a team of researchers who analyze threats and spend their days looking to improve Cisco's security products.

"With an extensible platform, it cuts the time we can address any emerging threats," Polly says. "There's no question that the security industry goes in phases; there are times when best-of-breed was the only choice, [but] now it seems to be going back the other way to single source with multiple capabilities."

Network and security teams evolve

For years, information security and networking teams worked in different department and, in some cases, competed with each other.

FireEye CTO Dave Merkel says the current threat landscape has changed that dynamic.

"Today, security must be woven into the fabric of the organization," he says, adding that the security and networking teams must work more in partnership.

Scott Harrell, vice president of product marketing in the Security Business Group at Cisco, agrees that collaboration between the two disciplines will be critical to combat more advanced threats.

"While the two groups can still have division of roles, I think it will move to a point where the security group is more involved in developing the network architecture, and the networking staff will handle Tier 1 security calls while the Tier 2 and Tier 3 alerts go to more experienced security pros," he says.

Golan Ben-Oni, chief information security officer at IDT Corporation, says all the teams within IT work together at IDT.

"At our company, everyone gets cross-trained in all the different computing disciplines," he adds.

For years, information security and networking teams worked in different departments and, in some cases, competed with each other.

FireEye CTO Dave Merkel says the current threat landscape has changed that dynamic.

"Today, security must be woven into the fabric of the organization," he says, adding that the security and networking teams must work in partnership.

Scott Harrell, vice president of product marketing in the security business group at Cisco, agrees that collaboration between the two disciplines will be critical to combat more advanced network security threats.

"While the two groups can still have division of roles, I think it will move to a point where the security group is more involved in developing the network architecture, and the networking staff will handle Tier 1 security calls while the Tier 2 and Tier 3 alerts go to more experienced security pros," he says.

Golan Ben-Oni, chief information security officer at IDT Corporation, says all the teams within IT work together at IDT.

"At our company, everyone gets cross-trained in all the different computing disciplines," he adds.

About the author: 
Steve Zurier is a freelance technology journalist based in Columbia, Md., with more than 30 years of journalism and publishing experience. Zurier previously worked as features editor at
Government Computer News and InternetWeek.

Next Steps

How is the Sony hack different from other attacks?

Context-aware security promises big benefits, but offers no shortcuts

Security breach anxiety prompts IT pros to delay new projects

This was last published in February 2015

Dig Deeper on Network Security Best Practices and Products

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What is the network's role in identifying and preventing today's advanced threats?
Cancel

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close