Confidence and Control at RSAC '16

A View of RSA from the Hall

RSAC ‘16, hit San Francisco with a record number of attendees, topping out at 40,000 a 15% increase from 2015. The security conference by the Bay, “where the world talks security” has seen steady growth in the past few years. The increase in attendance is mirroring the growth of the industry and fears around cyber crime, cyber espionage and, well, anything cyber.

The exhibition hall was no different as vendors packed in, illustrating not only on-going investment from the big guys like Fortinet, FireEye, Palo Alto and Cisco but also representing the over $4.6 billion dollars of venture capital that has been flowing into start-ups over the past two years. There are a lot of solutions out there, as organizations strive to obtain visibility into what is going on in their environments.

With all this attention, money and great parties at the W, are we any closer to achieving the very reason we are here? Not to get existential, as in the proverbial "why are we here," but where do our networks stand today? Are we any safer than we were just a few years ago? And who is managing all these shiny new boxes full of blinky lights? Isn't there a drought as big as California in the security talent pool, some million strong? California is counting on El Nino to save their day. When is the info-sec rain coming, and will it bring with it much-needed talent? The only clouds we see drive a lack of control and visibility, and create an application and access nightmare.

Before we fall into the familiar pit of pessimism, let's not forget what we are all doing here. We are keeping the connection alive. Keeping the connected workforce on the go, bringing moms closer to their children, doctors to their patients and driving unprecedented economic growth. Guarding the connection is kind of cool, and it matters.

At RSA, visibility and control reigned supreme, combined with ease of management. There are a number of "single panes of glass" solutions that aggregate your visibility at the management plane. These are great to see what is or what has happened within your network, and they even provide cool graphs. But they are doing nothing to feed the tools with the data that supplies the visibility and they provide little control.

After visibility, the underpinning issue of time to detection was everywhere. Plugging every hole and building a massive wall around our perimeter is no longer a viable form of defense in today's connected world. With every new device comes a new IP address and a point of access. Time to detection in weeks, months or years is not something we can afford in the "it's not a matter of if but when" era of security incidents.

We need to see who has entered our network, where they have gone, what they have done. We must react and deploy a response quickly. Recognizing that failures will happen while establishing a well-orchestrated response is a sign of a maturing security posture. Having the ability to respond quickly while being poised under pressure permeates confidence within our systems and the craft of securing the connected. Our security teams and systems need confidence more than anything, in response and in deployment. Because many of these expensive tools are not deployed in active blocking mode, due to fear of disrupting the connection, where is the confidence with partially implemented solutions?

The exhibitors’ hall at RSA is full of possibilities for investment. But no single pane of glass, magic bullet or high price tool is going to be effective if we do not provide the proper support. The lack of personnel and fear of automated systems are compounding a passive approach to prevention and detection. Teams are managing and deploying shiny new boxes while fighting for access to traffic and visibility. Instead of actively protecting the connected.

A wise person once said, "judge me not by the mistakes I make but by the lessons I learn." With these post-incident lessons, how do we respond not only with the right internal behavioral change but with the appropriate technology as well? The speed of deployment and confidence in implementation is an essential factor in incident response. We need to be able to provision new solutions with confidence, with all available active in-line services up and running, while reducing management and provisioning overhead. Freeing our teams from the deployment and management cycle to redeploy them to the protection cycle. This way we can not only be good, we can also be cool, until we all meet again in the City by the Bay. 

Learn more about how you can confidently deploy security in your environment and mature your security posture without disrupting the network connection.

 http://www.vssmonitoring.com/security/

What European Soccer Can Teach Us About Defending the Network

Real Madrid, the star of European soccer, is one of the best teams in the world and as such, attracts top talent from all over the planet. The team won the most coveted club trophy, the Champions League, ten times. However, the road to glory has been a bumpy one and, within their failures, there are lessons for network security professionals.

Real Madrid won its 9^th Champions League trophy in 2002 largely thanks to its defensive midfielder Claude Makelele. He left the team the following year and Real Madrid, unable to acquire an adequate replacement, didn’t win the trophy again until 2014 after they finally found the world-class replacement in Xabi Alonso.

Why were Real Madrid’s defensive midfielders so critical to the team’s success and why are they relevant to defending the network? The defensive midfielder’s job is to break up the other team’s attacks, win the ball back and pass it to his offensive players so they can score. They have the skills and the right perspective on the field to provide visibility to the whole team. Coincidentally, visibility is one of the defining features of a mature security posture and key to enhancing cybersecurity capabilities.

Combining a comprehensive traffic delivery strategy with advanced security capabilities creates a pervasive defense system against a broad range of attacks.

A mature cyber-security approach takes into account both the internal enterprise network and the external world of threats; they are dynamic environments that are always evolving. Therefore, protection requires a dynamic security architecture built-in – not added after the fact. It advocates for combinations of security solutions. Some of the most common mixes are:

• Active inline network analysis
• Passive, out of band network forensics
•  Active payload analysis

For this architecture to be effective, it needs to have access to all traffic that moves through the network, and it should be flexible enough so that changes can be made at a moment’s notice. Even today, most network changes are done during a maintenance window, when the volume of traffic is low and the threat of disrupting the business is small. However, imagine a world where, as a network administrator or security professional, you are able to have visibility into all network traffic, and enhance and modify your security infrastructure without any disruptions to the business. This is the promise that unified visibility, enabled by the VSS Network Packet Brokers (NPBs), can deliver on for an organization.

The NPBs aggregate traffic from various network links creating a Unified Visibility Plane. It allows organizations to collect relevant traffic from many locations at speeds from 1Gbps to 100Gbps and deliver it to a centralized security architecture that inspects and analyzes the traffic, generating alerts and possibly blocking traffic in real time. Additionally, it allows the network operator to construct a chain of security devices which inspect network traffic in sequence. Only the traffic of interest is sent to each security device. 

Imagine being able to deploy inline, active, real-time security inspection without any risks to the network performance (no more worries about being fired because of a network outage!). Imagine being able to constantly exercise the application stack of a security system so you know it is working as expected. Go beyond simple pings telling you if the security system’s port is up or down – they are insufficient in a world of real-time traffic inspection.

Network and security professionals have been fighting an uneven match with cyber-criminals. While the “bad guys” can change weapons in a matter of minutes, you, in most cases, have to wait for maintenance windows to upgrade your architecture. This results in a belated modification, and, perhaps worse, an irrelevant one. What makes this battle a more even one is a mature cyber-security posture based on pervasive visibility.

The VSS ActiveProtection Suite and the Unified Visibility Plane deliver these benefits, and more. Now network administrators, like soccer coaches, can adjust their arsenal in real time without having to worry about disrupting the flow of the game or the business operations of the company. Just like Real Madrid’s all-star midfielders, a Unified Visibility Plane provides visibility to all traffic and allows security systems to do what they do best: inspect and block potentially malicious traffic while other systems search for threats inside the network. 

Not a bad world to live in, don’t you think?

Learn how VSS can help you be the best midfielder on your security team. Support multiple layers of defense without risk to network performance or network uptime with our inline tool-chaining capability. See the on-demand demo.

It's Visibly Clear from the RSA Conference 2015

Everyone is looking for more visibility
at the RSA Conference, even the FBI's
Fido! 

Everyone at this year’s RSA Conference was speaking the same language of needing and providing more operational visibility. Even the weather seemed to agree with the visibility discussion as the clouds cleared away each afternoon. 

At VSS Monitoring, our mission has always been centered on delivering total network visibility to optimize the effectiveness of your security and network monitoring tools. InfoSec professionals around the world rely on VSS to give their monitoring and security tools access and visibility to traffic across networks without requiring physical reconfiguration. We’ll talk more about that later. Right now, let’s focus on our top takeaways from this year’s RSA conference.

                                                                                                                

Moving security tools in line is a key step
for many attendees

Get in line 

The rate that new malware is being introduced into corporate networks is leaving no choice but to place security tools inline. That is clear. We heard from many attendees that bringing their security tools inline was critical. For some, this will be a first and concerns surrounding using SPAN ports, and not disrupting the network, were top of mind issues to be solved in 2015.

Sandboxes provide a safe
environment to analyze
malware

Sandboxes are Popular

For others, sandboxing is viewed as the next step towards getting ahead of emerging attack vectors. Combining endpoint security with a secure sandbox environment to further analyze unknown files and malware is a popular deployment scenario we discussed. In this scenario, attendees were interested in learning how they could direct traffic to multiple tools while also accommodating behavioral sandboxing. We spoke with many attendees that needed a safe environment to isolate, analyze and ultimately address malware in a contained environment. 

RSA attendees are focused on
closing the loop for security analysis

Creating Closed Loops

Another way attendees are responding to the problem of unknown malware is with cloud-based threat monitoring and intelligence services. Attendees were keen to integrate cloud-based threat intelligence feeds and architect a closed monitoring loop, using on-premise appliances as well as and cloud-based services. We had several discussions on different ways traffic could be directed through their tool chain and then forwarded out to a cloud based security services for analysis.

While security tools will always be the darlings of the RSA Conference, we spoke to a number of people who were not planning to deploy any new tools in 2015. Instead these attendees wanted to focus on how they could collect, analyze and direct the right data in real-time to the existing tools. A truly refreshing thought. 

It was good to see that the industry is quickly growing-up and changing. Sound decisions regarding security architecture and how everything (and everyone) needs to play together well for effective security was a welcome thought. 

Learn 10 Tips to Mature your Security Strategy

Is Tapping Low Optical Budget Links Making you Pull Your Hair (or the TAPs) Out?

By: Gina Fallon, VSS Product Management

If you have ever had to do split ratio calculations for passively tapping network links, you have a tendency to want to pull your hair out over the mathematical Olympics required. When you have to deal with low optical budgets, it takes the challenge even a step closer to the tipping point where there is no budget left to establish link with the network device and/or probe attached to the passive tap.  The most common offenders are 10G & 40G Multimode where Cisco’s 40G Multimode BiDi (40GbaseSR2) budget is so tight it is not even recommended for passive tapping at all.

The solution is to go to active optical tapping. These taps don’t employ optical splitters (which have inherent insertion loss) and actually regenerate the optical signal on both the network and monitor transmit sides. VSS Monitoring offers vBroker Series products with PowerSafe chassis modules which also offer layer 1 Fail Open/Close state configurability if there is power loss or as a manual force Fail Open option during power on and a full range of optic technology support (10G MM, 40G MM, 40G MM BiDi, 40G SM, etc.).

Check out our full technical write up here: Tapping Low Optical Budget Links

Optimizing Monitoring Tools and Security Systems for 100Gbps & 40Gbps Networks

Most large organizations are either considering or have already begun to adopt higher bandwidth network infrastructure, typically 40G in the Enterprise and 100G in the carrier domain. Whenever a network undergoes a migration of that magnitude, the network monitoring and security architecture has to be revisited to ensure it’s ready to scale with the network.

Here are top three goals to keep in mind when redesigning the management infrastructure:

1. Leverage what you have
2. Maximize ROI
3. Make it future proof

If there’s already a network packet broker (intelligent TAP) system in place—and in most large networks there will be—it should be used to properly “tune” the network traffic to the existing monitoring tools and security systems. Assuming the NPB system is sufficiently scalable and modular (and again, it should be), adding 100G or 40G capture interfaces/appliances will be fairly straightforward.

Once the physical capture interfaces have been added, most of the functions needed to accomplish tool optimization are reasonably simple, but could do with some emphasis. Check out this solution guide outlining the essentials of leveraging 1G and 10G toolsets across 40G and 100G networks:

How to Optimize Monitoring Tools and Security Systems for 100Gbps & 40Gbps Networks