SJUK sits down with Mark Jow, Technical Evangelist at Gigamon to discuss the security challenges of modern networks.
Modern organisations are achieving tangible ROI by investing in their digital infrastructure. Empowered by the scalability and flexibility of cloud and the competitive appeal of new technologies such as AI, many organisations now have hybrid cloud environments that combine on prem, cloud, containers, and edge computing. However, as networks flex and extend to connect these different environments complexity becomes an inevitable security challenge.
While organisations are adapting well to hybrid cloud, network security monitoring tools are struggling to work across different environments and manage the massive increase in traffic and data. This leads to a plethora of blind spots within networks: earlier this year our research revealed that only 48 percent of organisations have insight into east-west traffic. This critical gap in network visibility is the biggest security challenge organisations face today – how to reduce the signal-to-noise ratio so that network security teams have real-time awareness of all potential threats and suspicious traffic across their hybrid infrastructure.
To add to the confusion, some of the techniques employed to improve security within these complex networks make matters worse. Encryption, for example, is designed to maintain the integrity and security of data in motion and is used to protect between 90 and 95 percent of internet traffic. However, what was once the weapon of choice for increasing the security of data transfer is now providing a convenient solution for bad actors to conceal their nefarious activities, weakening an organisation’s security posture. Encrypted traffic allows malicious insiders to freely move around and exfiltrate data unseen, and over 90 percent of malware attacks now use encryption to evade detection.
The risk of these blind spots is clear: the Electoral Commission breach last year is a perfect example. The attack was purpose-built to evade its specific security controls, ultimately allowing bad actors to hide in their systems for 15 months. This meant that hackers had access to electoral registers, email and control systems for well over a year before anyone noticed. The longer a bad actor can hide in any organisation’s networks, the more damage they can do, but maintaining visibility over complex networks – especially those transporting encrypted traffic – is an ongoing challenge.
Decryption is expensive and complex, and consequently it’s often not practical for organisations to implement widely. Decryption usually takes place at the perimeter, breaking, inspecting, and then re-encrypting the traffic flowing through a firewall, an appliance, or a load balancer. On top of the expensive tooling, this approach demands a high level of configuration, key management, and consumes significant computer resources.
For smaller organisations, there simply are not the available resources or personnel to manage this task. For large enterprises, the networks are too vast and complex for decryption efforts to be affordable. In today’s highly encrypted networks, the cost adds up and network speeds slow down, and over two thirds of organisations are becoming resigned to their fate. The result is a landscape in which almost one in three successful breaches go undetected by IT and Security professionals and their expensive tools.
Data management strategies can certainly help network security teams to minimise redundant traffic inspection and identify which network packets should be prioritised. Application filtering can optimise decryption processes by prioritising the most high-risk traffic for security monitoring, while flow mapping ensures only the relevant data is sent to each tool. Application meta-data intelligence, which determines and isolates only the necessary data sets for each packet, can reduce the data sent to each tool by up to 95%.
By deploying deduplication, network security teams can ensure that each network packet is only analysed once, and these strategies in combination can make investments in decryption go far further. However, without network visibility, organisations can never be sure of their network security. A more efficient and cost-effective decryption solution is required, and Precryption technology emerges as an exciting new alternative.
“Precryption” technology is very simple. Instead of decrypting, analysing, and then encrypting traffic, it bypasses the need for any decryption or encryption at all. This new approach utilises capabilities in the Linux kernel to obtain plain-text traffic visibility before encryption occurs. This not only increases the speed of analysing encrypted traffic, but it also minimises compute power requirements, eliminates the need for key management, and allows security teams to experience all the benefits with none of the risks or design complexities. This innovative approach not only enhances threat detection but also provides a low-cost, low-CPU, straightforward solution for data centre operators.
In 2024 and beyond, organisations need to be realistic about the threat landscape and empower themselves with the intelligence to identify and stop threats within their network, rather than just focusing on the perimeter. The key to this lies in being able to deliver true traffic visibility North-South, East-West and for encrypted traffic.
Click to Open Code Editor