Visibility Is Key to Security and to Outsmarting the Smartest Malware
Welcome to National Cybersecurity Awareness Month (NCSAM). In its 14th year, NCSAM is designed to educate and create awareness around cybersecurity, and at Gigamon, we’re starting the month off with practical advice on how to improve online safety today and into the future.
Given the massive number of cyberattacks that have affected businesses, human lives and possibly even election results this year, online safety should be a top priority for individuals and organizations alike. Unfortunately, no matter how safe you try to be, it only takes letting your guard down once to be caught. For example, it could be the end of a tiring week when you want to get home and that email looks like it’s from your boss, but turns out to be something far more sinister. Or it could be an innocent visit to a legitimate website that’s been infected and now infects you.
Of course, your organization’s information security department can help by ensuring that basic protection tools such as antivirus and email protection are in place. However, what happens when you click on personal email on that bring your own device (BYOD) at home? Or when malware from an infected website changes your Domain Name System (DNS) settings and begins taking you to malicious websites?
Though malware is getting smart at evading detection – it goes quiet when it thinks someone is looking for it – it can’t hide its external communications and behavior. So, why not simply watch all device behavior on a network? The problem with that approach is data volume. There is so much data traversing networks today that it is nearly impossible for security tools to see and handle it all.
Imagine a road with overloaded toll booths. Now, to accommodate an increase in traffic, imagine doubling the number of lanes into those toll booths. That’s what’s happening with security tools. Only, for security tools, it’s even worse. Multiple sets of tools are checking the same traffic for different things and creating an incredible number of alerts of which only a fraction need attention. To further compound the problem, encrypted traffic often goes uninspected.
While Security Information and Event Management (SIEM) systems can help sort through the noise to uncover real problems, it takes considerable time and processing to produce results of value. There is a better way to deliver network and application security – and that’s with a visibility platform. The GigaSECURE® Security Delivery Platform covers all the routes across your network, including cloud. It includes built-in decryption so you can see 100 percent of traffic – and metadata generation – so you can more quickly and precisely identify issues, especially when used with a SIEM such as Splunk Enterprise Security.
For example, take DNS hijacking. This is where a website address, such as www.my-own-bank.com, is hijacked and instead of ending up at the real site, you arrive at a website that looks the same, but is actually a malicious one designed to capture passwords.
DNS hijacking is a risk to both the individual and the organization. Security operations teams should restrict the DNS resolvers in their enterprise to only use known good resolvers. That is not an easy task, especially when DNS goes through several layers of recursion. However, using URL and IP metadata generated by the GigaSECURE Security Delivery Platform, you can easily correlate and identify when a DNS resolver’s IP has been altered and take action quickly.
I invite you to watch “All Killer, No Filler: How Metadata Became a Security Super Power at Gigamon.” In this webinar, our Principal Information Security Engineer Jack Hamm walks you through:
- How network security will increasingly rely on building context and intent.
- Why network-based metadata, followed by programmable packet data streams, will become the most simple and comprehensive approach to security analytics.
- How network visibility serves as the single source of truth for information about applications, users and devices.