Futuristic Security Tools Available Right Now
It's common knowledge that technology moves quickly and many organizations are still using the same security tools of yesteryear. There are some exciting new technologies in the network security marketplace — and some clever takes on old themes. It's important to be aware of the technologies available and how they can benefit your team.
Most organizations spend a considerable amount of effort securing their data, to make sure that they never have a security breach. There is also an understanding that no system is immune to attacks. These two seem very much at odds with each other. If we know we are going to be hacked, how do we protect ourselves once there is a breach?
The concept of a honey pot is nothing new, but the concept of defense through deception has recently reached a new level through the power of automation.
Many cyber security companies are taking an interesting new approach to security: deception. Their concept is simple — to make attackers spend time attempting to break into a network that is, in essence, fake. The system is able to dynamically spawn decoys that mimic normal user activity, network traffic, and data. The understanding is that regular employees would never have any reason to interact with these decoys, thus any users accessing those systems must be malicious.
Attackers almost always compromise one system and then move throughout the network following context clues to find valuable data or systems. Many deception systems counter this by seeding legitimate devices with pieces of information to lead attackers onto the false network. Objects like registry entries, files, recent docs, and rdp shortcuts aim to lure an attacker into infiltrating a decoy. This is a welcome shift to proactive defense and allows security teams to out-maneuver attackers.
The system will also inventory your existing network on an ongoing basis to attempt to accurately mimic your production environment. The goal is to end up with a convincing set of decoys to capture and detect attackers, and alert security engineers with nearly zero false positives.
The impact of an extremely low false positive rate cannot be overstated. Security teams are constantly fighting the deluge of information and alerts from the many systems they manage. Being able to add a tool to their arsenal that does not bring additional triage work is a compelling reason to look at deploying this type of product. Gartner reports that deception is a "far underutilized technology that provides serious advantages over attackers."
Companies like Rapid7, TrapX, Fidelis Cybersecurity are just a few of the companies adding this type of technology to their offerings.
The Power of AI
Previously, SIEMs and log analytic tools were built on top of dictionaries of pattern match strings written by humans. This approach works for threats that are known and have been seen before, but also can lead to many missed threats. Systems that can create their own baselines, recognize deviations, and ultimately learn from our environments through AI to detect threats will be a powerful new ally.
DarkTrace is marketed as the "enterprise immune system". DarkTrace in more straight forward terms is a network traffic analysis tool. It uses machine learning and AI to determine anomalies in the network and detect threats. It allows the system to also autonomously react to, interrupt, and prevent breaches.
DarkTrace is marketed not as an antivirus, SIEM, or firewall — but something like all of them. It's able to monitor many of the additional systems that a traditional security stack cannot. There are many devices that are network connected that commonly fall outside of the normal security systems. Things like IoT lights, thermostats, and SCADA systems. Because DarkTrace is network based and agentless, it's able to protect these types of systems.
The other great advantage of systems that leverage AI is that they can be effective against new threats. In signature-based systems zero days frequently go undetected. In a system that can learn what is normal in your environment, and flag anything that falls outside of that, the likelihood of a zero day attack being detected and even prevented is much higher.
Being able to detect anomalies accurately is a great example of the application of AI. Humans are great at understanding that a user logging in at 3 a.m. is outside the normal pattern of behavior. Having a system that can be quickly installed into a network and be able to react to and flag these types of events across an entire network could be very powerful.
While DarkTrace is heavily automated it also allows security engineers to "replay" an event. You can shift the reporting back in time and review the activity related to the alerts as it unfolded. This type of visibility can speed analysis and resolution of security events that require the intervention of a human.
Palo Alto Cortex
Palo Alto is best known as a firewall vendor, however, it has expanded its security offerings with AI and machine learning in a new security platform called Cortex. The Cortex offering is made of multiple pieces, Cortex Data Lake, Cortex XDR, endpoint traps, and other apps.
Cortex Data Lake
Data Lake is a public cloud service that allows you to collect and normalize security data across your entire environment. Normalization is important. As the volume of data increases, having it in a standardized format allows the application of AI and analytic tools to the data set. Cortex Data Lake aggregates data from Palo Alto's Next-generation firewalls, Panorama and Endpoint Traps, aiming to cover many attack vectors.
Cortex XDR is the brain that sits on top of the mountain of data that Data Lake collects. Cortex XDR is cloud delivered and is a "zero touch" deployment, making installation simple. The theme of time savings is obviously the goal of the entire product.
Cortex boasts of high value features like automated root cause analysis, automated alert investigation, malware and ransomware prevention, ongoing machine learning, and many others. It also allows security teams to feed the knowledge acquired from each security event back into the product. Shifting the security stance from an investigative, reactive viewpoint to a proactive, preventative security stance is the ultimate goal of security teams. Having a product that learns with your teams and is always improving its effectiveness could provide great value.
Cortex also includes Traps, an endpoint protection agent. It includes support for Android, Linux, Mac, Windows, Citrix, and VMware. Such broad endpoint support that includes cloud and mobility offerings means that none of your endpoints are left unprotected.
Palo Alto has a proven ability to deliver high quality and effective security solutions. They have now delivered an end to end security solution that is simple to install and provides great visibility across the entire security deployment.
Next Generation Firewalls
A firewall is likely the most iconic of all network security services. Firewalls have evolved from simple NAT and ACL boxes to a buffet of security services. As attackers get cleverer, expect firewall vendors to continue to add additional tools to these appliances. The challenge with adding a plethora of tools can sometimes be utilizing them all effectively.
Palo Alto – Centralized Management
Palo Alto has been consistently viewed by Gartner as a leader in the firewall sector. As they evolve past securing the edge, Palo Alto is attempting to simplify the configuration and management of their security services and leverage AI and machine learning to create more secure networks.
Panorama is a centralized management solution for all firewalls in the environment. The aim is to reduce the complexity and visibility issues that arise from having multiple security appliances. Being able to manage all appliances from a single rule base and single location cuts down on management time and can standardize rule bases to reduce misconfigurations. It utilizes configuration templates to further reduce management efforts.
On top of the management, Panorama also provides increased visibility and reporting across all security appliances. Through log forwarding, Panorama can gather information on traffic flows, threats, URL filtering, data filtering, and WildFire data across every NGFW. Appscope can provide insights into what's going on in your network. Being able to identify top applications, URLS, bandwidth usage, etc. can provide security teams with much needed information to respond to security incidents.
Panorama allows you to review multiple different types of event log data and update security rules across all of your firewalls, speeding resolution of incidents.
The shifting sands
Security threats have been changing. Increasingly, nation states and professional cybercriminal rings have been driving a more sophisticated threat landscape. At the same time, the complexity and ubiquity of network connected devices is growing.
Many security professionals have been warning that the legacy security stack may soon be completely obsolete. Being aware of current security offerings could keep your network ahead of the curve and as a result, more secure.