Yoram Ehrlich, VP of Products, Niagara Networks, discusses why prevention is better than cure when it comes to network security.
An ounce of prevention
Benjamin Franklin’s famous saying, ‘an ounce of prevention is worth a pound of cure’ is as good as it gets when considering network security. When facing intelligent, determined enemies, one must proactively address two key lynchpins well in advance – the technological and human factors.
Technologically, network architects can take a next-gen approach by pairing intrusion prevention and detection systems. However, a purely technological approach is insufficient.
Your staff is the often-underappreciated front line in the battle for network security. Your employees must be educated to circumvent problems and how to respond when an issue arises.
Protect and detect
Intrusion prevention systems (IPS) and intrusion detection systems (IDS) can be deployed alone but are generally combined.
An IPS examines network traffic to identify threats and prevent access. The IDS is a network monitoring tool used to surveil network traffic in cases a malware penetration has occurred. If malicious activity is detected, an automated warning is sent to the system administrator to block the source of the traffic to secure the network.
There are a variety of IDSs, including:
- Network Intrusion Detection Systems (NIDS)
- Host Intrusion Detection Systems (HIDS)
- Signature-based IDS
To detect and identify malicious data packets, two types of detection methods are generally used.
The first type of detection method is signature-based detection. Malware has a signature or recognisable pattern that IDSs use to identify malicious data packets based on a database of signatures.
The other type of detection method is based on traffic heuristics or statistical anomaly detection, which measures parameters of behaviours established by tracking legitimate traffic over a period of time. If the parameters are violated, the IPS will take steps to protect the network.
Traffic heuristics are useful in detecting threats that are yet unknown in the industry and do not have an identifiable signature. IPS may be combined with IDS to automatically protect your network from identified threats.
The key features of intrusion prevention and detection systems (IDPS):
- Comprehensive, automated detection capabilities– The IDPS should be as automated as possible and empower the security team to monitor and investigate alerts, tune detection capabilities and ensure that the system is not only looking for the latest threats but can deal with them.
- Abnormal behaviour detection mechanism – This capability uses smart algorithms to monitor network traffic and activity on a constant basis and to store and compare the traffic behaviour for specific days and hours. By studying ‘normal’ patterns and then comparing against what may seem to be abnormal traffic activity for a similar or particular day of the week, time of the month, etc. The mechanism should notify security administrators of possible excesses in expected thresholds.
- Security Information and Event Management (SIEM) – This module collects, logs and manages warnings and alerts. A SIEM is entirely out-of-band, typically not even processing a copy of the data traffic directly but logs metadata and alerts from other tools. It integrates and evaluates threat intelligence against known system weaknesses for better management and prioritisation of security controls.
A critical but often overlooked line of defence in protecting the network is the ability of the staff to prevent breaches. The most sophisticated ‘locks’ and ‘measures’ will be virtually powerless if someone ‘leaves the door open’ so to speak.
According to Verizon’s latest data breach report, 4% of recipients will click on any given phishing campaign – which means that if you have 100 employees, four of them will regularly invite cybercriminals directly into your organisation. The Anti-Phishing Working Group reported that there were more than 233,613 reports in Q4 of 2017 alone.
Training staff to be aware of the variety of attacks and their essential role in stopping them, as well as precise instructions on what to do in case of a breach are critical to complete an enterprise’s network security strategy.
In his Cybersecurity Business Report entitled Please Don’t Send Me to Cybersecurity Training, Steve Morgan lists several companies’ offerings from security awareness training vendors that provide training, simulations and network security related tips.
Your internal or external trainers and vendors should provide general IT training, best security practices and periodic extended training on new issues, system risks and counter-methods, periodic refresher courses, either in-person or online, and a brief test to check staff awareness and comprehension.
A good defence against of network breaches includes preemptive action and actual breach prevention. These can be attained technologically with next-generation intrusion detection and prevention systems. At the same time – and even more critical – your entire organisation needs training in prevention and response methods.