Enhancing Network Security

• By David W. Dodd
• 04/01/14

Network security consumes a great deal of my thinking and planning. A cursory read of the headlines confirms why this should be the case for many of us. Just in recent months, Target, Neiman Marcus and the University of Maryland have all suffered damaging cyberattacks. While those engaging in Monday-morning quarterbacking might be inclined to suggest otherwise, these organizations are by no means slackers. Securing our respective organizations is a matter of knowledge and skill, significant resource availability, institutional consensus regarding acceptable risk, and, all too often — simple dumb luck.

That said, taking as much luck as possible out of the equation by being highly prepared is infinitely preferable. Today, the cyberwar escalates for all of us. In response, this requires that we take our cybersecurity capabilities to the next level.

Effective network security is a specialized endeavor. Anyone who feels otherwise is foolish or dangerously uninformed. Critical to note is that network security is a relative, and not an absolute, state. The greater the security pursued, the more expensive it becomes, rather quickly. For this reason, there must be a point of reasonableness concerning how much risk any organization is willing to accept, because resources are not limitless.

The approach traditionally practiced has been to keep threats outside the network from ever getting inside. This is done in a number of ways, including firewalls. These are largely outward-looking devices designed to identify external threats and keep them from penetrating our networks and subsequently attacking users and critical assets. Other measures operating external and internal to the network help support this approach, including malware protection that counters viruses, worms and similar threats. To be clear, this approach is almost fully dependent upon the additive ability of the measures deployed to keep cyberthreats out, or at least controlled. What happens when this fails and an active agent manages to breach our defensive perimeters or is intentionally introduced?

Intrusion Detection Systems

A higher level of defense involves intrusion detection systems (IDSs). These are installed on the inside of networks to listen to internal network traffic, identify possible threats and issue warnings and alerts. IDSs have been around for a while, and are considered security enhancements. But IDSs are not cheap with regard to acquisition and deployment. They are frequently deployed in business environments, as well as others where the return-on-investment (ROI) can be justified.

While considered good additions, there are shortcomings with IDSs. By their nature, they are passive devices that listen, detect and issue alerts; they do nothing to counter an attack. In addition, IDSs are only as good as the intelligence built into them concerning how to detect possible threats, particularly when those threats are constantly changing and evolving. Finally, IDSs by their nature report historically, on events that have already occurred. It is conceivable that the speed of an attack could be so great that even if it were detected, it might be over before action could be taken.

Intrusion Protection Systems

A far better approach involves intrusion protection systems (IPSs). IPSs are considered an evolutionary advance beyond IDSs because they are active devices that are designed to not only detect threats, but to automatically take action to counter them. The best IPSs have highly sophisticated algorithms for identifying possible threats. To be most effective, these systems listen to network traffic to detect messages that are unusual and potentially malicious, as revealed by known signatures or heuristic patterns. When detected, IPSs can take many actions. These can include quarantining traffic, blocking originating addresses and cessation of connections to high-value assets within the network. Clearly, a system capable of actually detecting and neutralizing a threat is a much better investment than one that simply issues warnings.

Numerous companies provide IDS and IPS solutions. These include Cisco, Juniper, CheckPoint, Palo Alto, Gigamon, IBM, Sourcefire and TippingPoint, among others. Even if your organization determines to pursue an escalated security posture, selecting the product that best fits needs, goals and budget is a substantive undertaking. And implementation is only the first step. Having a well-trained staff capable of performing at a heightened level and interacting with specialized systems is a fundamental component of a full solution.

We live in an age with growing threats to our digital security. How much to spend on achieving a desired level of security is a question we must all face. The threat level is only increasing, and no one should feel that “it can’t happen to me.” There is no magic bullet that buys such security; only a comprehensive response can be effective. Perhaps most sobering is that fact that no one really knows how much network security they need... until the day after they needed it.

This article originally appeared in the issue of .