Cybersecurity is Reactionary

Cybersecurity, by its nature, is reactionary. Much of today’s network security equipment is predicated on catching malware by comparing incoming network traffic against already-known malware signatures. Since the development cycle of network security devices (and signatures) necessarily lags behind the development of new hacking techniques, the developers of signature-based network defenses can never get out front. The problem with the signature-based approach is detection. Or, rather, lack thereof: when faced with a new threat for which there is no signature, antivirus, firewalls, IDSs and IPSs are ineffective.

Since the "good guys" are always playing catchup, our networks are always vulnerable in one way or another. You don't know the makeup of the attack that will get you or when it will come, but improving everyone's security is dependent on our ability to detect and identify the new exploits and techniques quickly, as well as pinpoint from where they came. Hackers are getting more sophisticated — cybercrime is now a lucrative criminal enterprise, sometimes state-sponsored — and more adept at hiding the workings of their malware and improving its ability to evade our automated defenses.

Using Netflow for Cybersecurity

In an alternative attempt to root out malicious communications, organizations with deeper pockets often use SIEMs to analyze netflow, which represents only a fraction of network data – much like guessing a letter’s contents from the address label. The netflow protocol originated in the 90s and it is essentially a way for networking equipment, such as routers, to summarize information on IP activity (from packet headers) and send it to a separate device (such as an SIEM) for processing. For example, a summary may state that 50 packets were received from a specific IP address and port number during a certain span of time. While of some use, netflow data does not help much when it comes to forensic investigation of a breach.

Surveillance is the Key to Effective Cybersecurity Strategies

The cybersecurity winners are those who can react the quickest to a breach or other adverse event. Because of this, at its heart, cybersecurity is dependent on cyber-surveillance: knowing what is happening on a network, what data and commands travel in and out, how and with whom equipment is communicating and what actions users take. In the cyberworld, the single most important cybersecurity hardware is the packet capture appliance, which is essentially the digital equivalent of a security camera, with the benefit of having no blind spots. Packet capture appliances provide the information necessary to reveal what was taken, when and how. No other network gear provides this information.

The data captured by packet capture appliances can make the difference between merely cleaning up a mess and learning how to prevent it from happening again. It allows incident response teams not just to isolate the problem and mitigate its effects, but also investigate and determine how the breach occured in the first place, which user actions endangered the network or which software / equipment vulnerability or misconfiguration let the hackers in. If it was Sam in HR who started it all by looking at cute kitten pictures online, the packet capture data will let you know. It is also a highly effective tool for testing the thoroughness of the mitigation and recovery efforts after the fact, gathering any tell-tale communications that may remain between the hacker and any lingering malware on your system.

So, What is Cybersecurity?

Physical security is familiar and the need for it has largely been internalized. Companies purchase and install surveillance cameras, locks and keys and hire security guards without a second thought. When physical theft does occur, the damage is usually limited to what a burglar can physically carry off. Since physical security deals with tangible objects, it is easy to see what was taken and how.

The cyberworld, however, is much, much different. Cybersecurity deals with intangibles and with today’s internet connection speeds, once a bad guy gets in, he can make a copy of everything within several hours and vanish, with the network administrator none the wiser (it is unlikely that the hacker would leave a note, elaborating the crime). In a hack attack one’s computer actually becomes a silent accomplice to the hacker, receiving and executing malicious code.

Cyber attacks unfold through sequences of bits and bytes that command computers to, for example, transmit, modify or delete data. One bit or byte looks very much like another and the number of possible combinations of code infinite, which makes identifying and stopping the bad network traffic difficult. Further compounding the issue of identification is that while one sequence may constitute computer commands for one computer / OS, it appears as gibberish to another.

Many are of the mistaken belief that there is some holy grail of cybersecurity, some foolproof mechanism to keep the “bad guys” out. The reactionary nature of cybersecurity belies this belief and underscores the need for cyber-surveillance. Hackers put out new and different attacks each day and identified malware now numbers in the millions. With robust cyber-surveillance in place, a hacker may penetrate a network, but be detected quickly, allowing the network administrators to react expeditiously and effectively to protect the organization's data and IT infrastructure.

Cybersecurity is still a work in progress, but is best described as a process for monitoring network and internet traffic, coupled with analysis for the detection of bad actions (as oppose to bad “packets”). The reason hackers feel at home in corporate networks is because of an over-reliance on the old network security standbys (antivirus, firewalls, IDSs and IPSs) and a lack of surveillance. Surveillance is the foundation for security. In terms of cybersecurity it involves recording and timestamping all network activity; using computer-aided analysis of the recorded data to identify suspicious activity; and human review and cleanup. Even if an organization cannot afford to do analysis and review in-house, simply having the cyber-surveillance data and hiring out the rest simplifies incident response and potentially reduces overall costs and liabilities.