The way we've always done security is inherently flawed, or at least profoundly limited.
In my nine years as CIO, the one thing I know for certain is that change happens. Unless you embrace change and adapt quickly you're probably not going to be a CIO for very long. The way we approach security is a classic example of how the landscape has changed so profoundly in the last two years that entirely new approaches are required.
IDS, firewalls, antivirus software, signatures...they all serve a purpose. But the new threat vectors drive me to an inevitable conclusion: if you want to protect your environment - and I mean actually protect it (not just have a check box you can show your boss or the board) -you have to be able to visualize all traffic on the network in real time and watch the behaviors of that traffic. This means not only being able to know who is communicating (e.g. netflow), but to fully understand the actual conversations between all clients, systems, infrastructure, and applications. You have to know all about east-west. There is no other way.
Are files being renamed at a rapid rate? Is there a massive uptick in SSH between servers? Is that dev VM suddenly talking to the accounting fileserver? Palo Alto gave us a next gen firewall that redefined and truly protected us for north-south traffic. That's a good start. But what do you do about ransomware? You can keep doing what you're already doing:
- Backup the data
- Have really good firewalls
- Use and maintain strong anti-virus software
….and update your resume, because attack sophistication has increased
Or you can take a new approach and actually do something about the current security reality by focusing on one new thing:
Why behavior analysis? Because names and signatures change all the time. The only way to really stop ransomware, detect it, and truly protect your environment is to see EVERYTHING across your entire infrastructure and look at the behaviors.
ExtraHop is a next generation stream analytics platform that - unlike border devices which can only see ingress and egress traffic - lets you visualize, analyze, and act on all traffic in your network.
Full visibility is the only way you can do pattern-based behavioral analysis. Log analysis can't do it and neither can security agents because they simply can't see all activity. They can only see what they're told to collect and the last time I checked, hackers don't tend to announce themselves. However cracking behavior can be detected and stopped - if you have the visibility required.
This week we announced how we help our customers understand and respond to ransomware attacks with speed and accuracy, stopping them cold in their tracks. NO ONE ELSE can do what we do. So stop focusing on tools and start focusing on behaviors.
Update your approach or update your resume - the choice is yours.
Read a true story about how ExtraHop helped a healthcare organization shut down a ransomware attack in progress, BEFORE any vital documents were encrypted.
This is a companion discussion topic for the original entry at https://www.extrahop.com/community/blog/2016/network-security-monitoring-change-or-die/