With cybersecurity breaches happening at a relentless rate, it’s time to re-think how cybersecurity gets deployed, managed and addressed.
Traditional security analytics have been undertaken on network packets and logs but as data volumes and speeds have increased, this has become too computationally demanding and expensive. New big data-based analytics approaches use the larger context of the whole network to approximate the location of possible network compromise.
This allows for more focused, in-depth security analysis as a second phase of the investigation. However, network context is hard to come by with sources spanning all parts of the network, the attached infrastructure and the plethora of user devices. Gigamon addresses this specific challenge by centrally generating and aggregating contextual information about network traffic and simultaneously sending it to the security analytics devices that can leverage the information.
How can you deliver network visibility and actionable security intelligence that will identify anomalies and defend against advanced targeted threats?
As the industry coalesces on increasingly looking within the network for malware, the focus has been on the growing sophistication of the security solutions. There has not been much thought around the deployment architecture for such solutions, which leads to several of the challenges identified previously. This is an area that has been largely under-served and yet is fundamental to looking within the network for malware and breaches. In order to address the above challenges, a structured platform-based approach is required that delivers traffic visibility for a multitude of security appliances in a scalable, pervasive, and cost effective manner.
The solution should encompass the following components:
- Deliver traffic visibility from physical and virtual environments consistently even when users, devices, and applications are
- Take out the guesswork on where to place security solutions i.e. eliminate the dependence on identifying static choke points
within the network especially in today’s dynamic environments characterized by user/device/application mobility.
- Provide a solution to decrypt encrypted communications so that security tools can detect malware that leverages encrypted
communication channels, while at the same time ensuring that sensitive information is not compromised.
- Provide the ability to deliver just the relevant traffic streams to the specific types of security appliances. For example, an email security solution need not see YouTube traffic. Sending only relevant traffic allows the security solutions to function more effectively and waste less bandwidth and resources processing irrelevant information.
- Generate detailed flow and session intelligence based on actual traffic not just a sample of the traffic.
- Support inline and out-of-band network security deployments from the same platform, while providing the ability to load balance both inline and out-of-band security appliances as well as provide the ability to bypass in-line security appliances in the event of failure.
A Security Delivery Platform that addresses the above considerations provides a powerful solution for deploying a diverse set of security solutions, as well as scaling each security solution beyond traditional deployments. Such a platform would deliver visibility into the lateral movement of malware, accelerate the detection of exfiltration activity, and could significantly reduce the overhead, complexity, and costs associated with such security deployments (see Figure 4). In today’s world of industrialized and well-organized cyber threats, it is no longer sufficient to focus on the security applications exclusively. Focusing on how those solutions get deployed and how they get consistent access to relevant data is a critical piece of the solution. A Security Delivery Platform in this sense is a foundational building block of any cybersecurity strategy.