You’ve done everything to secure your network, and you still face threats. That’s what most businesses say about their cybersecurity, and they’re half right. Yes, they still faced threats, but they didn’t do everything to address them. In fact, most businesses haven’t actually implemented the two platforms that real cybersecurity has to rely on.
When I ask businesses if they’ve done a top-down analysis of cybersecurity, they often say they do it every year. When I asked what was related to that assessment, they said they looked for signs that their current strategies had failed. They build another layer, like putting a second Band-Aid in a cut.
Forgive me, but that doesn’t sound very “top-down”. Modern cybersecurity should start with the simple requirement that no one can access anything they are not authorized to access. This is Charlie, who oversees the parking lot maintenance. Suddenly, Charlie is looking at last quarter’s sales records or checking the inventory levels of some product. Perhaps these products have worn away the asphalt or is this a signal of a threat from Charlie, or malware?
That’s not just true of the Charlies of our businesses. Vertical chugging in the data center is an application that monitors the status of doors in the headquarters campus. All of a sudden, this application is accessing a module that is linked to the payroll system. Unless we think the doorknob is on the payroll, this should also be a warning sign. IP networks are allowed to connect, which means they are not secure to connect.
Secure connection rights
The problem with connection permission security is that it’s inconvenient because it’s complicated. Start with “Charlie”, not an example but an individual. Because Charlie had randomly declined to be implanted with a MAC layer address chip, he did not have a specific network identity. Do we assume that a device assigned to him acts as a solid identity indicator? What if Sandy sat down at Charlie’s desk to do some quick little app tweaks? She shouldn’t have inherited Charlie’s privilege, but she probably did.
Maybe Sandy gets a promotion or gets a new assignment. What she has access to has now changed, but NetOps forgot to update their magic connection monitor, and so Sandy’s first report is late. Meanwhile, NetOps is not satisfied because every time someone’s role changes, they have to work extra to connect to all the things they need and sort out the innocent bugs that create unauthorized access. They decided to change the system so that every employee had a “role” that had access to the connection. Now we just need to assign people to their appropriate roles, and everything is fine…maybe.
The concept of “roles” is useful in limiting the number of explicit connectivity policies a business needs. However, it depends on two things. First, role permissions must be strictly established to ensure that no one has access to things their work doesn’t justify. Having a role hierarchy can help by eliminating redundant policy statements. Second, user identity authentication must be strong so that they are assigned the correct role and so that the person without the role is not granted access.
Permission to connect is obviously very good if it is faithfully maintained at the identity, role, and connection policy level. Even then, with methods that tighten all these points, errors can still occur. What can be done to reduce that risk? The answer is artificial intelligence (AI) and machine learning (ML).
AI/ML . Traffic Analytics
Any use of the network generates traffic and traffic patterns. The malware that is looking for a vulnerability is an application and it also generates a traffic pattern. If AI/ML can monitor traffic patterns, it can detect malware from normal application access. Even if malware infects a user with access to a pool of applications, it is unlikely that the malware will be able to replicate the traffic pattern the user created with legitimate access. Thus, AI/ML can spot the difference and generate an alert. That warning, like the log alert for unauthorized connections, is then monitored to validate the user’s device security status.
The advantage of AI/ML traffic pattern analysis is that it can be effective even when it is difficult to identify the user, so connection authorization is obviously problematic. In fact, you can perform traffic pattern analysis at any level from a single user to the entire network. Think of it as involving a kind of source/destination-address logging process; at a given time, have I seen packets from or to this address or this subnet? If not, then a more detailed analysis may be in order, or even a warning.
A branch office is heavily staffed with a variety of roles, but it is rare for a branch office to have employees from every possible role. That means, since application/data access is often assigned based on what employees are expected to do, many applications will never be accessed from some branch location. Branch-level AI/ML traffic pattern analysis can detect an attempt to access an application that no one should attempt to use. Anomalous traffic patterns at the branch level, or for subnets within the headquarters location, can be used to manually flag a group of workers for more stringent security checks. or through further analysis of traffic per employee.
AI/ML can also detect differences in workers’ own behavior. Even if employees aren’t accessing anything they don’t have permission to, a large change in their traffic pattern could indicate malware for sure, but it could also indicate human error. member is doing a bit of browsing the app. Maybe this is an indicator that the employee is unhappy and could pose a security threat, but it is also possible that the employee has another assignment or job that requires different access rights and NetOps should review their connection policies.
Connectivity or an AI/ML traffic analysis strategy will greatly enhance network security, but together, they will create a strong foundation for securing not only the network, but also data and applications. application to which the network is connected. If you start your security plan with these two important technologies and use them correctly, you can improve security. Maybe you can even separate some of those Band-Aid layers.
Copyright © 2022 IDG Communications, Inc.
