Let’s Dwell on Dwell Time: Threat Detection and Response in the Cloud Age

0
1017
cloud share

With all the complexity, layers of virtualization, and the sheer scale of the modern data center – particularly hybrid cloud configurations – even seasoned security teams have trouble keeping their networks secure. Advances in secure protocols, aggressive security update schedules for OSs and applications, and robust perimeter defenses all definitely help, but breaches are still all too frequent. The huge amount of user data held by massive online enterprises (think Yahoo for example) makes them an irresistible target for cybercriminals. 

Unfortunately, the threat detection and response prowess of these same enterprises doesn’t scale with their size. To the contrary, the length of time attackers are able to lurk within a compromised network before being detected (i.e. the “dwell time”) can be quite long. The longer these intruders reside in a network, the more sensitive data they can discover, exfiltrate or destroy. 

If, on the other hand, intrusions can be detected much sooner, then mega breaches of the scale of the Target, Yahoo and Equifax variety can be prevented. With new data center security solutions which integrate multiple threat detection and response technologies now available, the good guys can finally have the tools needed to be one step ahead of the hackers.

And a good thing too, since mega breaches can cost a company $350 million in damages, according to a recent study by IBM.


Segment to secure

A network security technique which aids both breach detection, as well as its containment and mitigation, is micro-segmentation. Micro-segmentation takes traditional network segmentation and makes it much more granular by isolating the communication flows within workloads and applications. By wrapping policy-dictated boundaries around each part of a workflow, the number of network traffic checkpoints greatly increases. With more checkpoints that data needs to cross during a workflow, the closer IT pros can scrutinize all traffic, both legitimate and malicious. 

With micro-segmentation, granular and real-time network monitoring is possible, which in turn allows security teams to build up historical data on the normal data flows within their network. This historical data is key to detecting anomalies in network traffic, both from misconfigured applications and attacks in progress, because that data can be used as a baseline against which future data flows can be compared. 

Besides aiding in attack detection, micro-segmentation can also contain network intrusions by blocking the malicious lateral (aka “East-West”) traffic attackers use to compromise other systems in the network.

These twin benefits make micro-segmentation a must-have feature for data center security platforms.


White lies

Another technology which is proving very useful for securing complex, fluid infrastructure like hybrid clouds is dynamic deception. Dynamic deception is a sophisticated new way of actively sandboxing intruders by redirecting them into dynamically created live environments so that the attackers’ tools, motives, and methods can be more thoroughly identified, analyzed, and therefore better mitigated. 

The live environments into which the intruders are drawn are basically honeypots on steroids which are seamlessly connected to, but separate from, the data center. Because the attackers are steered off of the target network (without even knowing it), that target network suffers no disruption nor degradation in performance.

Dynamic deception solves two current problems caused by more traditional detection methods:

  • Older methods tend to generate a lot of false positives since misconfigured applications can generate abnormal traffic flows which may on the surface appear to be malicious.
  • Those methods also tend to rely on more resource intensive agents deployed in the heart of the data center, increasing the risk of performance disruption.

The latest dynamic deception technology addresses both shortcomings found in the earlier methods. Security solutions that deliver high-interaction dynamic deception are able to tease out a lot more useful data from the attackers. More data leads to a better distinction between attacks and non-malicious network issues. Also, today’s best of breed dynamic deception solutions utilize lightweight agents which cause almost no impact on a data center’s performance.


Threat detection and response for today’s data center

Micro-segmentation and dynamic deception are both very effective on their own but become even more powerful when expertly integrated into a comprehensive platform that scales to modern clouds and physical data centers. One such solution is GuardiCore’s Centra platform, which has the added benefit of automated reputation analysis of IP address, domain names, and file hashes.

As we explained above, reducing dwell time by enabling early detection is key to reducing the occurrence of mega-breaches and their costly aftermath. Multi-pronged platforms incorporating micro-segmentation, dynamic deception, and other advanced methods are just the tools needed in today’s cybersecurity environment.