Tabula Rosa Systems, our sister company provides :best of breed" network, security and systems management products for all sizes of companies and their applications. One of our premiere products is PacketViper. The article below is by Frank Trama, one of the company' founders and its CTO. For more information on this product or to see the Tabula Rosa product suite, please contact them as noted below.
================================================
Financial Institutions Network Security Is Being Blinded!
Nov 4, 2016
Today, Financial institutions (not limited to) are being over run with
security logging and alerting. Each new monitoring and alerting device adds
more things to consider when evaluating threats on a daily basis. You would
think this would help, and is a good thing? It is and isn't at the same time.
We bury our faces in reports, sift log after log for the magic bullet, set up
countless alerts on top of alerts, to chase countless rabbits (false positive)
down holes. This in itself burdens budgets, jades security teams, and masks
legitimate threats that can ultimately lead to breach.
How many stacks of reports, graphs, and pie charts do you look at today?
How many lines of logs do you look at? Do you stop when your eyes are bleeding?
I personally I've chased enough rabbits down holes (false positives) to where I
almost grew a tail
To understand the enormity of the problem let's rewind the clock a couple year and see what it was in 2014: Damballa's Report
The average North American enterprise fields around 10,000 alerts each day from its security systems, far more than their IT teams can possibly process, a Damballa analysis of Q1 2014 traffic has found.
You have to ask why? Why are we seeing this many alerts on a daily basis? The simple answer is we are not considering what we are allowing to and through the perimeter. We basically open up exposures into our firewalls and DMZ's, then top it off with a army of monitoring devices to watch and understand the traffic.
Hold on! Before you write me a nasty comment... Here is what I'm saying. Today we are allowing everything to the gateway forcing the security devices to inspect everything. This is how they are built and designed.
For instance: your firewall rule may look like this
permit any to 1.1.1.1 tcp/udp x,
permit any to any tcp/udp port x, y, z
What you told your firewall is allow everyone on the planet access to those IP's and Services. What if that was a VPN, HR, WebMail, FTP, VM, PAYMENT PROCESSING, SSH, RDP, or TELNET Portal?
Have you ever asked why are we doing it this way or why are we inspecting everything?" Imagine if your security environment only had to inspect 30% of what you are seeing today. That would alleviate logging, alerting, shrink rules sets, provide faster threat detection, and unburden human resources. Right? Right!
You're probably wondering it can't be that simple? It is though. Lessen the traffic burden lessens the traffic load. Today in many situations the solution may look like:
We need more bandwidth
We need a bigger firewall
We need to consolidate logs and alerting
We need more staff
All of this may be true, and if budgets permit. Got for it! But think about it. If we we can remove the bulk of the garbage traffic (let's say 70%), without it interfering with production traffic and all the above is mute.
There is a light at the end of the tunnel, enter the Geo-IP Layer a seemingly simple layer but when done properly will remove the burden through the security environment by eliminating the waste before it enters. But don't think for one minute your current security devices can do this properly. That's a myth. The problem has always been that current security tools only provide a subset of what is needed to properly Geo-IP, that leaves a bad taste in the security teams mouth. Separating the Geo-IP layer from the application layer is vital to have this layer work to your benefit. Anything else, you are back to where you started.
To understand the enormity of the problem let's rewind the clock a couple year and see what it was in 2014: Damballa's Report
The average North American enterprise fields around 10,000 alerts each day from its security systems, far more than their IT teams can possibly process, a Damballa analysis of Q1 2014 traffic has found.
You have to ask why? Why are we seeing this many alerts on a daily basis? The simple answer is we are not considering what we are allowing to and through the perimeter. We basically open up exposures into our firewalls and DMZ's, then top it off with a army of monitoring devices to watch and understand the traffic.
Hold on! Before you write me a nasty comment... Here is what I'm saying. Today we are allowing everything to the gateway forcing the security devices to inspect everything. This is how they are built and designed.
For instance: your firewall rule may look like this
permit any to 1.1.1.1 tcp/udp x,
permit any to any tcp/udp port x, y, z
What you told your firewall is allow everyone on the planet access to those IP's and Services. What if that was a VPN, HR, WebMail, FTP, VM, PAYMENT PROCESSING, SSH, RDP, or TELNET Portal?
Have you ever asked why are we doing it this way or why are we inspecting everything?" Imagine if your security environment only had to inspect 30% of what you are seeing today. That would alleviate logging, alerting, shrink rules sets, provide faster threat detection, and unburden human resources. Right? Right!
You're probably wondering it can't be that simple? It is though. Lessen the traffic burden lessens the traffic load. Today in many situations the solution may look like:
We need more bandwidth
We need a bigger firewall
We need to consolidate logs and alerting
We need more staff
All of this may be true, and if budgets permit. Got for it! But think about it. If we we can remove the bulk of the garbage traffic (let's say 70%), without it interfering with production traffic and all the above is mute.
There is a light at the end of the tunnel, enter the Geo-IP Layer a seemingly simple layer but when done properly will remove the burden through the security environment by eliminating the waste before it enters. But don't think for one minute your current security devices can do this properly. That's a myth. The problem has always been that current security tools only provide a subset of what is needed to properly Geo-IP, that leaves a bad taste in the security teams mouth. Separating the Geo-IP layer from the application layer is vital to have this layer work to your benefit. Anything else, you are back to where you started.
The Geo-IP layer sole purpose is to effectively eliminate traffic before it
is inspected. The end result is what you see in the image below. A much
cleaner more effcient security environment.
Another Special Announcement - Tune in to my radio interview, on Rider University's station, www.1077thebronc.com I discuss my recent book, above on "Your Career Is Calling", hosted by Wanda Ellett.
www.amazon.com/author/paulbabicki
In addition to this blog, I maintain a radio show on BlogtalkRadio and an online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahoo. I am also a member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
I am the president of Tabula Rosa Systems,
a “best of breed” reseller of products for communications, email,
network management software, security products and professional
services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.
Over the past twenty-five years, I have enjoyed a dynamic and successful career and have attained an extensive background in IT and electronic communications by selling and marketing within the information technology marketplace.Anyone who would like to review the book and have it posted on my blog or website, please contact me paul@netiquetteiq.com.
=============================================================
No comments:
Post a Comment