On August 15, 2012, Saudi Arabia’s national oil and gas company, Aramco, suffered a debilitating cyberattack. More than 30,000 computers were rendered inoperable by the Shamoon virus. US Secretary of Defense Leon Panetta described this virus as the most destructive weapon ever used against the business sector. Network security is a growing problem in the IT industry today.
The very trends that have revolutionised users’ access to data are the same ones that are leaving networks vulnerable to attacks by cybercriminals. No single security product can fully defend against all network intrusions, but a smart combination of existing products can provide a more flexible solution.
Three recent trends in the IT industry have improved the efficiency and effectiveness of digital services: cloud computing, big data analysis and mobility. Cloud computing centralises data and makes it accessible anytime, anywhere. Unfortunately, it also provides cybercriminals with fewer, and more valuable, targets.
Big data analysis offers a sophisticated overview of complex information; however, such a wealth of sensitive information in a centralised location provides an irresistible target for cybercriminals. Mobility allows convenience; it permits users to access data on the network with different devices, such as mobile phones and iPads. But this severely compromises security as these devices do not have the same protections as the typical corporate laptop.
With increasing data availability, cyberattacks are becoming more common every year. The cost of these attacks to business, though declining from 2010 to 2011, is still high. According to the Ponemon Institute and Symantec Research, the average cost of a security breach in the United States was $5.5 million in 2011. Cybercriminals are becoming smarter, innovating new methods to penetrate defenses and often using several different kinds of attacks in combination.
For example, a hacker can utilise a distributed denial of service (DDoS) attack as a diversion for introducing malware into a network. In the case of the attack in Saudi Arabia, cyberterrorists utilised a virus in a spear phishing attack in an attempt to disrupt international oil and gas markets. There are many types of security appliances and solutions deployed in networks, each with its own specific focus. However, these solutions are rarely coordinated, which hackers exploit using a combination of attacks.
To successfully defend against this, some kind of coordination is required between the various security solutions so a complete overview can be provided. But, even this is not enough, as detecting zero-day threats (new attacks that have never been seen before) is very difficult. It is therefore necessary to also monitor how the network is behaving to make sure that no attacks have penetrated the security solutions in place. To do this successfully requires that all these solutions are capable of monitoring and reacting in real-time.
Most networks already have monitoring appliances in place, such as a firewall, an Intrusion Detection or Prevention System (IDS/IPS) or Data Loss Prevention (DPL) application. Some products that consolidate these methods into one appliance include Universal Threat Management (UTM) and Next-Generation Firewalls. But single point solutions can only ever address a part of the problem.
Another solution to network security uses the concept of Security Information and Event Management (SIEM) which is based on the centralisation of information from both network and security appliances to provide a holistic view of security. This is a real-time solution, constantly monitoring the network to detect any anomalies that might arise. That means that both the network and security appliances need to be able to provide data on a real-time basis to ensure that anomalies are detected the moment they occur. This, in turn, means that each of the appliances must be capable of keeping up with growing data loads and speeds.
One of the easiest ways of disrupting the security of the network is to overload the security and network monitoring appliances using a DDoS attack rendering the centralized SIEM system blind. This is a real threat if these appliances are not capable of operating at full throughput. By assuring that they can, you have just removed another potential attack vector.
Intelligent adapters are used in both network monitoring and security appliances to guarantee full throughput under maximum load at speeds up to 40Gbps. Some adapters can scale network throughput and combine different port speeds, distributing data flows on up to 32 CPU cores. The data can then be intelligently distributed to one or multiple security or network monitoring applications running on the same physical server—all of this accomplished without compromising CPU performance.
The information from network and application monitoring applications can be used to build network behaviour profiles. The customer uses real-time information on network and application usage to detect anomalies as they occur. These anomalies can then be compared to data from security appliances to identify if an attack is underway. These adapters allow for the proper maximisation of monitoring and security applications for a multifaceted defense.
Cyberattacks on the world economy and infrastructure are becoming commonplace. The adoption of cloud computing, big data analysis and mobility have improved efficiency, but unfortunately they have also exposed critical vulnerabilities in networks. Utilising SIEM systems on standard servers with the right adapters enables OEM vendors to provide solutions that can respond immediately to any detected anomalies in the network. By combining network and security information into a more holistic solution, attacks—such as the spear phishing assault on Aramco—can be deterred.