Information security is a top of mind issue for every enterprise. Information theft or destruction can lead to significant repercussions, such as lost customers, lost revenue and a damaged brand and reputation.
When evaluating infrastructure based cybersecurity solutions, it is important to understand some of the distinctions between them.
Below are 3 infrastructure-based security solutions one should consider:
Cybersecurity Solution Types
The first distinction is one of cybersecurity solution types: Network Intrusion Detection Systems (NIDS), Endpoint and Perimeter protection.
Perimeter protection, firewalls and security gateways, is perhaps easiest to understand, think of perimeter protection like the bouncer or security guard. They guard the doorways, but threat actors can slip by with “fake IDs” or come in through other tunnels not protected by the perimeter devices.
NIDS look at the suspicious and malicious activity that gets by the perimeter protection – think of the NID based wire traffic analysis as the video cameras that look at what gets by the security guards at the front door.
In addition, with the move to cloud, and adoption of hybrid and multi-cloud infrastructure architectures, the perimeter as we know it is disappearing evolving to a “perimeter-less” digital landscape.
Endpoint security looks at attacks and malicious behavior from the perspective of the endpoint rather than the wire. Think of Endpoint based security as sensors on all the wallets, cash registers, safes, etc. – the critical assets of an enterprise. Endpoint security sees what happens at the execution point of the attack, but not what is traversing the wire while in transit.
However, one of the challenges of Endpoint security is that it requires instrumenting endpoints with agents, which can content for resources, or in certain cases, cannot support an agent such as in IoT or Industrial Control Systems (ICS).
Cybersecurity Threat Detection Categories
A second distinction is between cybersecurity threat detection categories: Indicators of Compromise (IoC), and Tactics, Techniques & Procedures (TTP). A proactive approach to detection uses both IoCs and TTPs to discover security attacks or suspicious behavior for as close to real time detection as possible.
IoCs can be understood as the artifacts or pieces of forensic data in an attack (blood, body, and gun). In cybersecurity an IoC can be a leading indicator that an attack has begun, or it can be a lagging indicator that the attack has happened.
TTPs look at behaviors rather than artifacts. IoCs help answer the question “What happened?” while TTPs can help answer questions like “What is happening and why?” Using TTPs, one can perform a time sequenced reassembly of executed behaviors associated with specific Advanced Persistent Threat (APT) groups. Using ML and AI, one can adapt to the ever changing attacker TTPs.
Finally there is a distinction between technology evolutions.
Legacy NIDS technology deploys pattern and signature matching for detection was used to detect malicious activity. Another characteristic of legacy NIDS technology is that it is primarily limited to monitor L2-4 data.
Next generation NIDS technology, also called Network Traffic Analysis (NTA), deploys anomalous behavior detection using ML is able to detect malicious activity that morphs its signature.
Additionally, in next generation NIDS technology, rather than having the limit of layers 2-4 as a data set, data is analyzed all the way to L7, or what is called full stack data. This allows for detection key application security protocol transaction data such as HTTP, SQL, DNS, SMB, etc.
It is important to understand these distinctions when building a cybersecurity policy, and evaluating vendor solutions. One last point that can’t be overemphasized is that of data quality for security analytics. With the emergence of emphasis on ML and AI, of equal importance to their algorithms is the quality of data they ingest for analysis.
The old adage, “garbage in- garbage out” still applies regardless of how many data scientists are thrown at algorithms. Accedian’s high fidelity, high resolution, high throughput data can transform security analytics as it is economically viable and operationally feasible to acquire.