US health insurer Premera Blue Cross is the latest victim of a cyber-attack that may have exposed medical data and financial information of 11 million customers. According to the breach disclosure statement issued by the company, it detected the attack on 29 January, but admitted that the cyber-criminals may have had access to Premera's systems as far back as May 2014. This is the latest example of the havoc poor network behaviour visibility can wreak on an organisation. Without the proper tools and systems in place to continuously gather, process, compare and analyse network behaviour, IT security pros are destined for failure. The more network and security intelligence you have, the better you'll know how to tweak your security policies and corresponding tactics to best protect your organisation – and your customers' data.
The reality is, few IT administrators have an accurate picture of what's really going on inside the network, and lack the automated visibility and analytics tools that can quickly identify, interpret, and act on threats. Network visibility tools help security pros discover things about the network and user behaviours that were never before realised, and in turn help to bolster security policies. Here are four ways visibility can improve your security strategy.
1. Set a baseline for normal user behaviour. Every organisation's network traffic is different, based on its activities. That's why there's no one way to measure network traffic. The only way to detect anomalous, possibly dangerous activity is to have an understanding of what 'normal' looks like for you. By monitoring visualisation tools regularly, you'll start to understand your network's baseline. You will be able to notice spikes of irregular network activity that could serve as red flags for some new or different event. These events may not be bad, but identifying and researching them will provide you more insight into your network.
2. Identify sensitive assets that might be targets. Smart visibility tools can help you learn from attack patterns, even on attacks that fail. They can tell you which of your servers receives the most network attacks, which users tend to be associated with blocked malware, and even what types of attack vectors are most commonly tried against your system. Good visibility tools highlight these trends for you, so you can adjust your policies to secure and restrict certain users, or harden the defences of targeted servers.
3. Block out the chatter that could distract from real threats. Most connected devices receive a constant stream of network chatter - anything from legitimate robots crawling through network space, security researchers scanning ports, to automated malware scanning for new victims. Good visibility tools will help you identify this constant chatter, and allow you to block it more aggressively. Modern security appliances allow you to create auto-blocking policies. If your visibility solution shows lots of connection attempts to a specific port, for example, adding an auto-block policy can block the IP address trying to make that connection. Chances are, if someone is repeatedly trying to connect to an unsanctioned port or device, they are probably up to no good.
4. Find out what's working and what's not – You've set up policies on your security controls, segmented your internal network based on organisational roles, and added policies to restrict traffic on those networks. How do you know those policies work? Are there sneaky ways around those policies? Visibility tools can help you visualise network and policy flow. They can show you how particular types of traffic actually travel through your network, and which security policies that traffic hits. This helps you identify many potential policy mistakes you might have inadvertently made.
Many administrators do not have deep enough access to the network and security intelligence they need in order to help make the right policy decisions for their organisation's specific needs. Visibility tools help identify what's really happening on the network, so you can make policy changes that reflect what your business actually wants to happen. Visibility tools translate your network behaviour into actionable intelligence that will help better protect your company's assets.
By Corey Nachreiner, director of security strategy and research, WatchGuard