June 24, 2022
What is Network Infrastructure Security?
Network infrastructure security is the protection of network assets such as hardware, software, and data against threats. These threats may be external, such as cyber-attacks that lead to data theft, or internal, such as careless or rogue employees.
Network infrastructure protections include firewalls, antivirus, intrusion prevention and detection systems, email security, access controls, and data loss prevention. These technologies play their own unique roles in protecting the network and are layered together to form a holistic defense system.
Types of Network Security Protections
The age-old firewall is one of the longest-standing network security protections. Firewalls act as the frontline of network defense by regulating what enters and leaves the network. By monitoring and filtering incoming and outgoing data packets, firewalls block what is deemed malicious based on preconfigured firewall rules.
2. Endpoint Security
Endpoint security includes conventional antivirus software and newer EDR (endpoint detection and response) solutions, which are installed on endpoints like PCs, mobile devices, and servers to protect them. These solutions detect and remove malware that has bypassed the firewall to land on the endpoint or was loaded on the endpoint from inside the network or removable media.
3. Email Security
Email security refers to the various technologies and mechanisms used to protect email accounts and communication, including authentication, content filters, and content encryption. Phishing emails are one of the most prevalent ways threat actors breach a network. By crafting email content that is highly authentic-looking, attackers lure email recipients into clicking a URL to download malware or redirect them to another site for malicious purposes, such as credential theft.
4. Zero Trust Security
Zero trust is a security concept that assumes all users are untrusted by default. This means that all users, whether they are inside or outside the network, need to be authenticated and authorized every time they want to access network applications and data. Zero trust is designed to meet the challenges of modern-day network access scenarios, including the remote network access of employees and third-party network access such as suppliers, and countering the sophisticated credential theft or bypass capabilities of attackers.
5. Data Loss Prevention
Data loss prevention (DLP) solutions are designed to protect the sensitive data of organizations from loss, misuse, and unauthorized access. DLP solutions monitor data in use (on endpoints), in motion (network traffic), and at rest (database server) and identify violations of data policies as defined by the organization or data protection laws, such as HIPAA and GDPR. Once violations are detected, DLP will enforce remediation measures, such as alerting, blocking access, and data encryption.
In cybersecurity, sandboxing is the practice of running untested or untrusted programs and code in an environment that is isolated from the rest of the operating system that it is installed on. By running programs and code in an isolated environment, Sandboxing prevents malicious programs and code from damaging the actual operating system or spreading to other hosts on the network.
The Limitations of Signature-Based & Passive Protections
The above-mentioned, and the majority of, network protections are signature-based and/or passive protections. While they play a vital role in securing the network, the increasing sophistication of cyber-attacks and widening attack surface (more entry points of attack) means that they are no longer adequate, either individually or used in conjunction. Let’s explore why.
Signature-based protection refers to the detection of malware and malicious activity using known indicators of compromise (IoC). Known IoCs include malware hashes (the unique ID of a piece of malware, just like a fingerprint), the IoCs of adversary infrastructure such as the malicious IP addresses and domains used in an attack, known application vulnerabilities, and known attack patterns.
Network security solutions that rely on signature-based detection include firewalls, IDS and IPS, endpoint security solutions, application firewalls, and sandboxing. The effectiveness of these protections is limited by the following challenges.
- New malware: With over 500,000 new malware created every day, it is virtually impossible to detect every single piece of malware using known malware signatures. Granted, a large proportion of newly created malware are variants based on existing malware and can still be fingerprinted, but it only takes one piece of malware to get through to cause damage.
- New attack architecture: Attackers typically update their infrastructure from attack to attack so not all newly used malicious IP addresses and domains are known and blocked.
- Lagged threat intelligence: Many security solutions do support the integration of live threat intelligence feeds to update IoC libraries for the most up-to-date protection. This certainly helps. However, given that the average time it takes to detect a breach is 212 days, these feeds are not exactly "live" and there is always a chance the network has already been compromised by the time IoCs are updated.
- Traffic encryption: Attackers can conceal malicious code using traffic encryption to evade security solutions that do not support decryption and deep packet inspection capabilities.
- Legitimate tools and services: Attackers often take advantage of legitimate native system tools and services to facilitate their attacks, which means that their malicious operations may not be picked up by endpoints.
- Legitimate traffic: Firewalls cannot defend against distributed denial of service (DDoS) attacks. In a DDoS attack, attackers flood the victim network with legitimate traffic (hence the ability to cross the firewall) to paralyze network systems and applications through exhaustion.
Limitations of Passive Protection
Passive protection refers to security tools, mechanisms, and processes that detect and respond to threats when they appear but does not actively hunt for them.
Signature-based protections are essentially passive protections, as are rule-based protections such as access controls, zero trust access, and data loss prevention. The effectiveness of these protections is limited by the following challenges.
- No 100% signature-based protection: Given that there are so many ways attackers can subvert signature-based detection, it is not a question of "if" but "when" a breach occurs. With this in mind, passive protection is not enough, and what is needed is a mechanism to actively hunt for threats that are already inside the network.
- Credential theft: Attackers can deploy tools to steal legitimate access credentials to authenticate to network systems and applications, especially when multi-factor authentication is lacking. For example, attackers can use tools to obtain password hashes to log in to accounts without knowing the plain text password or use keylogging tools to capture the input values of password fields. Without continuous monitoring and auditing of user behavior after unauthorized access, attackers are free to operate under the radar.
The Benefits of Network Detection and Response (NDR)
When all else fails, network detection and response provides a robust last line of defense.
What is Network Detection and Response?
Network detection and response (NDR) is a burgeoning cybersecurity solution that analyzes real-time network-wide traffic to detect and respond to malware and behavioral-based malicious activity in the network.
The two keywords are real-time and behavioral-based.
NDR actively analyses real-time traffic from across the network to hunt for threats that have breached the signature-based and rule-based protections. NDR detects behavioral-based threats that use legitimate tools, services, and traffic to evade detection. To do this, NDR leverages machine learning to build and continuously optimize baseline models for normal network activity. Network traffic is analyzed using AI-powered behavioral analytics and the results are correlated with baseline models to detect anomalies. Anomalies in network activity are good indications of threats since legitimate accounts, tools, services, and data are going to be used in ways different from normal use patterns. For example, NDR would be able to detect the legitimate traffic of DDoS attacks by sensing a spike in the number of incoming requests.
The Advantages of NDR
- Active threat hunting: NDR is constantly at work hunting for threats that may have breached perimeter defenses and access controls.
- Non-signature-based detection: NDR detects unknown threats and behavioral-based threats through anomalous behavior. This means that malicious use of legitimate native system tools can be detected since they are being used in a way that does not match normal use patterns (e.g., identity, scope, time, duration, purpose).
- Network-wide threat visibility: NDR correlates real-time traffic across the network, from systems, endpoints, applications, and users to contextualize and make sense of anomalous activity and determine whether it constitutes a threat. Security operators are provided with full visibility of the chain of activity to trace attacks to the point of entry and identify compromised assets like users, endpoints, and systems.
- Agentless detection: Unlike endpoint security solutions, NDR does not rely on an agent installed on an endpoint so attackers cannot detect whether their activities are being monitored. This helps to lower the attacker’s guard and emboldens them to carry out activities that will lead to their detection. Running without an agent also means attackers can neither disable NDR.
- Real-time decryption: NDR supports real-time traffic decryption to uncover malicious activity hidden in encrypted traffic.
- Automated correlated response: NDR can also integrate with other security solutions to initiate automated correlated responses by issuing commands to them.
A Multi-Layered Approach
Active, behavioral-based protection technologies such as NDR are not superior to passive, signature-based protections. Passive, signature-based protections provide a robust first line of defense that filters out most threats. Without them, networks will be overrun with threats left, right and center. This allows active, behavioral-based protections like NDR to focus on cleaning up what has slipped through. They are essentially a double act working in tandem to provide network infrastructure with multi-layered, holistic protection.