Keysight Technologies: How can I reduce network security risk – Part 2

Step 2 – Quickly Find and Remediate Discovered Network Intrusions

I recently wrote a blog Find Your Security Vulnerability Before Hackers Find It For You and wanted to come back and explore the three steps I outlined in this post in more detail. This blog will examine step 2 of this three-point plan.

Step 2 is to detect intrusions on your network and resolve these issues quickly. The sooner you find the problem, the safer you are. This is extremely important because the Ponemon Institute finds every year that it takes far too long to identify vulnerabilities on the network. For example, the Ponemon Institute’s 2021 Cost of a Data Breach report found that it took companies an average of 287 days to identify and contain a data breach. That’s over 2/3 of a year – giving a bad actor plenty of time to find what they want and then exfiltrate that data.

While part 1 of the plan is to prevent as many intrusions as possible, SOMETHING will unfortunately get past your defenses. Call it Murphy’s Law, call it Chaos Theory, call it what you want, but something nasty is going to happen – whether you know it or not. This is when you need threat hunting activities.

However, for a threat hunting tool to be effective, it must see ALL the data. Seeing one or more parts of the data is not enough. The tool needs everything else it will miss intrusions. That’s why you need to deploy taps at critical points in your network, then aggregate and filter that content so your security tools (IDS, DLP, SIEM, etc.) get exactly the right data at the right time so that they correctly report any anomaly or suspicious activity. The combination of tap and package broker gives you the visibility you need to keep your security tools performing as well as possible.

At the same time, you also need lossless visibility. You don’t want to add any package broker. By design, some packet brokers drop packets – that is, they “lose” data. You could miss up to 60% of your security threats without even knowing it.

One of the fundamental reasons is the way the data is processed. A common method is to use a processor to process high-end data features, such as deduplication. However, the processor can become overloaded and drop packets, or miss certain types of data packets. This is where you need a packet broker that uses FPGA chips to process data at line rate. This design decision becomes even more important as network speeds increase from 10 GB to 40 and 100 GB. Data loss at these speeds becomes a serious vulnerability in the architecture. There is a white paper here on the importance of lossless visibility or you can watch a video if you want more information on this topic.

Rest assured that Keysight taps, bypass switches, and NPBs provide the visibility and confidence you need to see EVERYTHING on your network — every bit, byte, and packet. Once you have this level of visibility, threat hunting tools and security information and event management (SIEM) systems can proactively search for indicators of compromise (IOCs). In the third and final part of this blog, I’ll discuss step 3 – how to test your defenses to make sure they actually detect and block threats.

See for yourself how Keysight’s solutions can dramatically improve your enterprise security architecture!

Kevin M. Risinger