Despite ongoing advances in datacenter perimeter defense, the bad guys are still getting in. Even worse, they’re able to stay in much too long before detected. In fact, the global median “dwell time” is currently 101 days. For the EMEA region, that value balloons to 175. That’s almost an entire school year.
While the attackers are lurking undetected in a network, they are in fact receiving an education: probing other systems for vulnerabilities, collecting data as it passes through the systems under their control, stealthily moving around in and mapping out the network, uploading and installing more malware, and exfiltrating sensitive data. The longer the dwell time, the greater opportunity is given to the hackers to move laterally through the network, and the bigger the breach.
A strong perimeter isn’t enough
Of course, it’s best to prevent breaches in the first place, but as we pointed out above, perimeter defense alone isn’t sufficient. Using the deadbolts on the front door of your home is a good idea. Pairing that with a home security system is an even better one. Threat prevention and threat detection are complementary.
Longer dwell times lead to bigger breaches. Faster threat detection leads to earlier threat response and less damage to your network, data, and reputation.
One of the key components of cybersecurity is reputation analysis, which isn’t a new concept in cybersecurity. Anyone who has seen and then investigated shady foreign IPs in a Wireshark or tcpdump capture has performed a rudimentary reputation analysis.
Reputation analysis, however, should be about more than IP addresses. Domain names and file hashes also need to be monitored – and with the most up to date threat intelligence – for all traffic flows in the infrastructure, but especially those associated with lateral “East-West” or externally moving “North-South” communications which are anomalous, unauthorized, or non-conforming to network segmentation rules. These signs are typical of a compromised network.
Threat detection at cloud scale and complexity
For the threat detection needed by today’s hybrid datacenters, manual reputation analysis just won’t work.
Why? One word: scale. When multiple VMs can reside on the same physical server, and infrastructure as a service (IaaS) platforms like OpenStack automate cloud infrastructure provisioning, configuration, and deployment, modern datacenters can easily become incredibly large. While large numbers of physical and virtual servers working in concert are what give modern data centers and clouds their speed, efficiency, flexibility, and computing power, this proliferation also leads to VM sprawl: the inability to effectively manage – and by extension, secure – all the VMs in a network simply because there are too many of them.
What network and security pros need are threat detection solutions which are automated and can scale to meet today’s datacenters’ needs, particularly the hybrid-cloud infrastructures of many enterprises. These solutions also need to have the intelligence required to identify threats based on suspicious IP addresses, domain names and file hashes that are known to be associated with malicious activity. The quicker IT teams can prove (or disprove) a link between what looks abnormal and what is in fact malicious, the faster they can respond to a threat. Offloading at least part of that investigative work needed to connect the dots between lateral traffic using unusual ports and a file hash which matches a known malware, for example, would go a long way to cutting down that long global median dwell time.
Key components of comprehensive threat detection
Of course, reputation analysis is only one piece of an adequate overall threat detection solution, but today’s best of breed datacenter security solutions, like the Centra platform from Guardicore, utilize sophisticated reputation analysis for rapid threat detection that can scale. These offerings combine regular threat intelligence feeds, insights from expert security analysts, together with a large network of attack sensors to deliver an automated and intelligent reputation analysis functionality.
Together with the other components of a robust threat detection platform, like cutting-edge deception techniques and policy-based threat detection via fine-grained network segmentation policies, the early-warning benefit of cloud-scale reputation analysis provides IT pros the rapid response times they need to quickly detect, analyze, contain, and halt intruders.
As we said earlier, reducing the damage of network intrusions is a race against time. Threat detection which includes robust reputation analysis gives the good guys a much-needed head start when perimeter defenses get breached.