Problem solve Get help with specific problems with your technologies, process and projects.

Security for the outside and the inside: An integrated approach to network surveillance

Traditional network security products cannot be used effectively to protect enterprise networks from the inside.

Anil Sahai, Ph.D.

Up to 70% of security breaches come from inside a company's four walls. Any abuse and misuse of network resources, especially coming from insiders, introduces huge liabilities. According to the recently released "Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector" conducted by Carnegie Mellon University in conjunction with the Secret Service National Threat Assessment Center, "Insiders pose a substantial security threat by virtue of their knowledge of and access to their employers' systems and/or databases, and their ability to bypass existing physical and electronic security measures through legitimate means."

In 30% of the cases studied, the financial loss was in excess of $500,000. In one case, the perpetrator caused a bank to lose over $600 million. In another case, a company impacted by a "logic bomb" consisting of malicious code triggered after a designated time or specified system action sustained a loss of approximately $3 million.

Insider network misuse also includes time spent on Internet surfing for non-business activities that result in productivity losses that are obvious but difficult to accurately measure. Recent research indicates that on average, employees spend up to an hour every day on non-business Internet surfing. For a company with 100 employees, that means 25,000 employee hours are wasted on non-productive activities each year! In addition, if the non-productive Internet surfing involves visits to porn sites, companies are also exposed to lawsuits. Or, if an employee downloads some other company's information illegally, the company has to deal with the financial and legal consequences.

Obviously, many situations, some malicious and others inadvertent, can cause a lot of misery if the enterprise network security is not managed adequately. Even though networks have become highly reliable over the years, network security challenges continue to grow, calling for an integrated approach to network surveillance.

Today, many network security products, including IDS/IPS systems, anti-virus software and firewalls, protect against security attacks originating from outside an enterprise. Unfortunately, since these conventional network security systems were primarily designed to handle viruses and/or unauthorized access attacks from unknown outsiders, these solutions cannot provide protection from threats that originate from the inside.

Outside-oriented network security solutions can typically detect malicious signatures in network traffic or suspicious activity on the network. However, with the increasing use of laptops and PDAs with wireless capabilities, enterprise network security can be easily compromised through a routine e-mail synchronization from a device that was infected with a virus at a public place with wireless access. Neither the virus infection at the public place, nor the virus transfer through the e-mail synch is likely to be intentional.

Additionally, with the growing use of USB memory cards, opportunities to inadvertently transfer viruses or copy illegal content to enterprise computers continue to grow, thus amplifying the challenges associated with effective enterprise threat management.

Traditional network security products cannot be used effectively to protect enterprise networks from the inside. In addition to viruses or unauthorized access, insider abuse and misuse of network resources also needs to be monitored and controlled to achieve a comprehensive solution to network security. Historically, to achieve a comprehensive outside/insider security solution, companies have used a combination of capabilities like monitoring, access control, bandwidth management, events logging, network traffic shaping, and traffic management based on network content, in addition to IDS/IPS systems, anti-virus software and firewalls.

Today, companies need to acquire a mix of several different hardware and software solutions to enjoy all these capabilities. This leads to complex network management, because such a strategy leads to complex network topology that is exacerbated by the difficulties associated with managing non-integrated solutions. More often than not, companies also need to employ additional network management professionals with expertise in these point solutions. All of this leads to a very costly solution that does not always work as promised by vendors or desired by CXOs increasingly driven by legal concerns regarding demonstrable compliance, security and privacy.

A surveillance solution that combines an integrated GUI to manage and control the access patterns of users, manages network content flow, and logs selected network traffic for possible auditing is required. With increasingly sophisticated hackers, it is simply impossible to identify or guess every possible virus signature. Similarly, it is not possible to identify every insider network behavior (anomaly) that could result in a security breach or other unplanned or unwarranted network incident.

Enterprise network managers need integrated network security systems that enable them to watch and control, but more importantly to record select network traffic for identifying the source of a security incident or attack. It is important to note that this solution is easier said than done. Due to the network's growing speed and traffic, simply logging every packet on the network can easily overwhelm any storage farm. Additionally, without "selective" processing, the vast majority of archived raw data can be readily classified as "junk."

Many of today's network-monitoring solutions produce loads of data that is very difficult to analyze for any productive purpose. The key to a functional network surveillance solution is to identify potentially interesting data, classify relevant network applications and archive only select network data at wire speed. This surveillance approach involves processing data in the network itself to root out unnecessary bytes and storing only relevant data. The result is more effective management of enterprise networks at a lower cost, compared to today's common practice of using several non-integrated point solutions.

About the author:
Dr. Anil Sahai is Executive Vice President and CTO of Procera Networks Inc. He can be reached at

This was last published in September 2004

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.