Improving Networks Security: Threat Detection
Detecting networks security threats is tough, and network security analysts’ jobs are getting tougher as threats and attacks become increasingly more sophisticated. To fight back, security architects integrate more security and monitoring tools into the enterprise.
Chief information security officers (CISOs) not only want more tools, but they also want tools that work cooperatively, even across vendors. Discovery, forensics, and remediation all require correlation analysis among different tools that perform different functions.
Correlation analysis becomes easier when networks security tools all get reliable access to relevant traffic at the same time. Enhance that traffic with context, and it can quickly make security analysts and the tools they use more productive.
What is context-aware data processing?
Context-awareness is the ability to extract knowledge from or apply knowledge to information. That definition may sound arbitrary and oversimplified, but at its core, this is the foundation of what context-awareness is. The depth of
knowledge is what distinguishes the best context-awareness capabilities.
In the digital world, context-aware data processing takes data, applies intelligence, and produces greater insights. For example, open Google Maps to get directions and it picks up your location and indicates it with a blue dot on a map.
Based on previously collected information on your regular routes and the status of traffic in your area, it will tell you how long it will take you to get home from work and what traffic conditions are like. In well-traveled areas, it is amazingly reliable and accurate.
Google uses a global positioning system (GPS) coordinates, Wi-Fi location services, traffic services, and your web browser’s location information. The combination of information, along with correlated knowledge, is what makes its context-aware insight so powerful.
Why context-aware data processing is important?
Imagine if Google maps could not identify your location. You would have to know precisely where you are to determine the route to your destination. And getting to your destination would require following pre-defined instructions along the route rather than the voice-guided turn-by-turn directions. Any route deviation could result
in getting lost.
This probably sounds similar to using a paper map where the data is provided without context and you are expected to deliver the intelligence. Google maps has context-aware intelligence, which makes it a superior choice for
navigation over paper maps.
It almost always knows where you are, which means it knows when you have diverted and can quickly reroute you. It can even advise you to change course because it found an alternate route based on real-time traffic conditions.
Just as context-aware data processing matters for navigation, context-aware data processing matters in network security, too. Security and monitoring tools use network traffic to perform the inspection, analysis, and correlation. Some security tools like an intrusion detection system (IDS) look at session and application layer data, trying to find pattern matches against a database of threat signatures.
But, not every tool is designed for every traffic flow. For example, email monitoring tools only receive email traffic. Before distributing network traffic to your tools, context-aware data processing applies its intelligence to networks security traffic flows to intelligently distribute only relevant data to security and monitoring tools.
Context-aware data processing involves more than simply identifying the type of application traffic. It is about understanding the context of users, devices, and locations, as well as applications. It is about filtering traffic by geography and removing duplicate packets before it reaches a monitoring tool.
Performing additional functions like this can be critical to network security monitoring, but it all starts with application intelligence.
Application identification problems – networks security
Using port numbers can be helpful to identify applications. For instance, File Transfer Protocol (FTP) traffic generally uses Transmission Control Protocol (TCP)/Internet Protocol (IP) port 20/21, Simple Mail Transfer Protocol (SMTP) uses port 25, and Hypertext Transfer Protocol (HTTP) uses port 80. Encrypted web traffic (HTTPS) uses port 443.
Any requests to those ports are generally used by FTP, SMTP, and HTTP/S application protocol traffic, respectively. Other applications sometimes use specific ports, like 1433 for Microsoft Structured Query Language (SQL) Server. While using port numbers to identify applications can be helpful, this approach also has problems.
Problem #1: An Uncommon Port Number is Used
The first problem with identifying application traffic by port number is that it could be inaccurate. Port numbers can be modified. For instance, a web server administrator may want to change the port from 80 to 8080 or maybe even run two webservers—one on port 80 and the other on port 8080.
The same can be done with FTP. FTP could be setup to listen on port 21 or port 5000. While administrators can use just about any available port for any application protocol, they generally do follow conventions. But what if you are monitoring for port 20/21 traffic and a hacker has opened a backdoor in your network to his FTP server listening on port 5000, or worse, he has setup his FTP server to listen on port 80 and transmit on port 443.
Problem #2: Port Numbers are Shared
The second problem with identifying application traffic by port number is that it could be inadequate. For instance, many email services use the same ports for their service. If you are monitoring networks security traffic looking for threats within emails, it will be difficult to distinguish email traffic from one provider to another.
Your company may use Office 365 for its email; however, company policy does not prohibit personal email use. But
port-based application identification does not allow you to differentiate among email providers, making it very difficult to monitor only one or a few provider’s traffic. The following is a list of some popular email services and the ports they use.
In addition to email ports, many web-based applications use port 80 for plain text traffic or port 443 for encrypted traffic, regardless of the functions they perform. With the massive amount of cloud-based applications using port 80 and 443, it is virtually impossible to identify the individual applications using these ports.
You may want to monitor back-office applications like Concur and Workday differently than Evernote or Skype, but with port-based filtering, that is not possible. All of these popular cloud applications cannot be monitored separately using port number filtering.
Problem #3: Similar functionality by other applications
The third problem with identifying application traffic by port number is that you could miss alternatives. FTP used to be extremely popular to move files from one server to another. Today, there are numerous file transfer applications that perform services similar to FTP, such as Box, Dropbox, and Hightail.
And, they all perform functions using web traffic ports 80 and 443. If you are monitoring network traffic looking for
internal exfiltration, you may want to monitor these services specifically. But, filtering all destination port 80/443 web traffic and sending it to a data loss prevention (DLP) device is impractical, as it could overload the DLP with traffic that you do not want to monitor or inspect
Benefits of application intelligence
Accurate application intelligence goes beyond port numbers and uses a variety of contextual clues to identify known and unknown applications. While the contextual clues may be different, the outcome is similar to Google maps pinpointing your location on a map. A network visibility platform with application intelligence embedded has several key benefits.
Benefit #1 – It starts smart and gets smarter
An application intelligence feed comes with hundreds of application signatures builtin, as well as a service feed to add new ones and keep everything up to date. This feed is similar to a threat intelligence feed from a security vendor, but the updates are application signatures, rather than threat signatures. The feed will automatically build a signature for traffic it does not recognize.
Benefit #2 – You see the applications on your network
A visibility platform with application intelligence shows you what applications are on your network. A dashboard displays statistics, so you can see what applications are generating traffic, the amount of traffic, and the number of sessions contributing to the traffic volume. It also separates known and unknown applications. This can be incredibly useful in isolating and resolving security or performance issues.
Benefit #3 – You can filter application traffic and forward to specific tools
To be useful, application intelligence must be actionable. Identifying specific application traffic and making forwarding decisions based on that traffic gives you control over the security and monitoring tools used to perform analysis.
Whether you have a specific type of application traffic you want to monitor constantly, or you want to analyze application traffic that looks suspicious, your visibility platform makes it is easy to get specific traffic to a tool. Contact Musato Technologies to learn more about our ICT solutions and services that empower businesses.