Documente Academic
Documente Profesional
Documente Cultură
Now
permea*ng
Board
rooms
across
America:
Audit
Commi7ees
challenge
CIOs
and
CFOs
to
stop
assuming
network
security
protec*ons
are
adequate!
They
ask:
Whats
our
risk
of
becoming
the
next
Anthem,
Target,
Sony,
eBay,
Home
Depot
(cyber
breach)?
Millions"of"Records"
160"
140"
120"
100"
80"
145"
60"
40"
20"
56"
76"
80"
104"
110"
0"
9/14"
""5/14"
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
The
perplexing
transla*on
of
the
above
ques*on
is:
how
well
do
we
search
for
something
we
dont
know,
then
lock
it
down?
The
predictable
response:
a
deer
in
head-light
stare
from
the
CIO
and
CFO.
At
a
conference
for
audit
commi7ee
chairmen,
there
was
quite
a
somber
panelist:
Hes
a
supervising
agent
for
the
FBI
for
northern
California.
He
challenged
us
with
ques*ons
to
ask
our
CIOs.
Ill
share
the
story
he
told
(paraphrased
for
length).
First,
he
explained
the
FBIs
perspec*ve
its
when,
not
if
your
company
will
be
vic*mized
by
cyber
theU.
He
emphasized
that
the
percentage
of
companies
being
hit
is
far,
far
higher
than
what
is
reported
in
the
media,
because
we
at
the
FBI
get
calls
all
the
*me.
He
explained:
most
companies
are
too
embarrassed
and
avoid
public
disclosure.
Why?
Part
of
the
reason
is
that
in
most
circumstances,
the
cyber
thieves
have
been
inside
the
network
undetected
for
signicant
lengths
of
*me,
before
the
company
discovered
the
breach
and
damage.
Heres
his
story/analogy:
Assume
your
data
center
/
network
is
like
a
building
with
40,000
windows.
Wisdom
requires
your
windows
have
locks
and
security
alarms.
So
you
do
and
you
feel
safe;
you
assume
your
detec*on
mechanisms
give
you
security
and
visibility.
Youre
feeling
comfortable,
but
its
a
false
sense
of
risk
assessment,
he
says.
The
FBI
supervising
agent
further
explained:
Technology
evolves
faster
than
organizaNons
are
able
to
react
and
adapt.
Move
aside
the
porn
industry;
its
now
the
cyber-criminal
industry
blazing
new
trails
of
surrep**ous
innova*on
(and
what
an
industry
its
become,
with
Anthems
breach
being
an
example).
In
short,
your
windows
leak.
His
commentary
con*nued:
companies
invest
heavily
in
preven*ng
inltra*on
and
to
a
lesser
degree
detec*on.
The
ques*on
he
posed
for
us
Audit
Commi7ee
chairmen
to
ask
the
CIO
and
CFO:
How
do
you
Page
1
prevent
exltraNon?
The
FBI
supervising
agent
elaborated
as
follows:
First,
assume
you
can
only
minimize,
not
prevent
inltra*on.
Secondly,
regarding
detec*on,
you
need
tools
that
enable
deeper
visibility
into
your
network.
Exis*ng
network
security
tools
are
very
good.
However,
the
inherent
design
of
data
ow
in
networks
enables
no
shortage
of
hiding
places
for
cyber
thieves.
Invest
in
technology
that
collaborates
with
security
tools
to
enhance
their
potency.
Third,
when
detec*on
occurs,
too
oUen
network
operators
lack
an
agility
of
immediate
control
to
prevent
exltra*on
(that
is,
prevent
the
cyber
thief
from
gecng
out).
In
short,
invest
more
in
tools
for
change
management.
Damage
can
be
greatly
minimized
by
locking
down
and
preven*ng
valuable
informa*on
from
gecng
out
(exltra*on).
As
trusted
business
advisors,
CIOs
and
CFOs
and
their
teams
must
be
aware
of
the
latest
technological
innova*ons
and
their
impact
on
organiza*ons.
SDN
as
a
programmable
and
proac*ve
security
arch*ecture
can
be
a
major
element
of
this.
The
more
agile
the
network,
and
the
more
visibiliy
it
provides
into
trac
anomolies,
the
more
ac*ve
vs.
passive
protec*on
it
can
provide.
And
although
CIOs
are
s*ll
judged
on
network
up*me
and
issue
resolu*on,
these
are
all
known
elements
given
proper
network
design.
It
is
the
unknown,
as
I
noted
above,
that
should
keep
CIOs
up
at
nightthe
unknowns
that
can
kill
a
rms
reputa*on.
CIO KPIs:
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
A#erword:
In
fact,
the
CIO
and
CFO
are
very
adept
at
gh*ng
the
good
ght
with
Cyber
thieves.
And
most
are
eager
to
takeem
on,
shutem
down.
As
one
of
my
CIO
friends
said:
You
wanna
mess
with
my
Network?
Ill
smoke
you
out
faster
than
a
greased
monkey
slides
down
a
tree.
Learn
how:
Good
discussion
about
how
a
CIO
can
use
SDN
to
avoid
being
the
next
Sony
Breach.
See
next
page.
!
!
Page 2
!
The
Sony
Breach
and
Protec>ng
the
So#
Interior
with
SDN
Dave
Ginsburg,
CMO,
Pluribus
Networks,
Inc.
You
could
have
a
moat
around
a
heavily
for>ed
castle
but
if
the
bridge
is
down.
then
your
for>ca>ons
become
worthless.
PwC,
2014
There
has
been
much
wri7en
about
the
Sony
breach,
as
well
as
a
growing
number
of
other
less
damaging
compromises
(at
least
we
hope)
where
the
perimeter
was
thought
to
be
secure
but
the
interior
was
leU
unprotected.
For
example,
incidents
reported
by
medium
enterprises
(those
with
revenues
from
$100
million
to
$1
billion)
grew
64
percent
between
2013
and
2014,
with
cost
per
incident
growing
by
$53%1.
Small
enterprises,
in
fact,
reposted
less,
due
to
what
many
say
is
an
underinvestment
in
tools,
with
es*mates
that
71
percent
of
a7acks
go
unreported.
Given
todays
interconnected
business
ecosystem,
this
is
indeed
a
dangerous
situa*on.
SDN-based
network
security
with
in-line
analy*cs
oers
a
solu*on.
The
idea
of
interior
protec*on
is
not
new,
and
while
some
vendors
do
in
fact
focus
on
delivering
network
packet
brokers/visibility
fabrics,
penetra*ons
abound
since
these
solu*ons
are
reac*ve,
instead
of
proac*ve.
If
the
keys
to
the
kingdom
are
compromised,
such
as
the
sys
admins
passwords,
what
can
the
network
do
for
protec*on
as
opposed
to
relying
on
human
interven*on?
Today,
intrusions
happen
too
fast
for
anyone
to
respond
eec*vely,
and
terabytes
can
be
siphoned
o
overnight.
Unfortunately,
the
gap
is
widening
between
the
speed
at
which
compromises
happen
and
that
at
which
they
are
discovered.
The
percent
of
breaches
that
have
occurred
in
a
ma7er
of
days
has
grown
from
75
percent
to
90
percent
over
the
last
nine
years,
while
discovery
in
the
same
*me
window
has
remained
below
25
percent.
With
some
of
the
more
serious,
professional
a7acks,
discovery
may
take
months.
By
some
es*mates,
in
2014,
the
nega*ve
direct
impact
on
the
global
economy
was
up
to
$575
billion,
and
the
poten*al
IP
loss
was
up
to
$2.2T!
Thats
a
T.
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
Source: Verizon2
!
!
Page 3
Once
the
inltrator
is
inside
the
network,
what
does
this
look
like,
and
why
are
exis*ng
tools
incapable
of
providing
real-*me
protec*on?
Visibility
fabrics
consis*ng
of
taps
and
collectors
are
deployed
in
parallel
to
the
actual
data
connec*ons,
and
are
not
integrated
into
the
network
control
plane.
They
are
also
capable
of
only
sampling
a
por*on
of
the
data.
For
example,
a
48-port
10G
TOR
switch
may
have
one
10G
port
spanned
to
the
visibility
fabric.
These
two
issues
prevent
todays
visibility
fabrics
from
being
used
for
real-
*me
protec*on.
As
an
example,
assume
the
taps
recognize
that
Host
A
is
sending
way
too
much
trac
to
Host
B,
external
to
the
network.
Maybe
Host
C
is
under
syn
a7ack
from
outside
of
the
network.
Or,
more
commonly,
Host
D
has
some
security
vulnerability,
has
been
compromised,
and
is
now
ac*ng
a
vector
for
an
a7ack.
Taps
may
track
this,
but
then
send
the
data
to
a
correla*on
plauorm
that
informs
the
IT
manager
that
something
is
awry.
They
dont
integrate
with
the
control
plane,
they
have
no
historical
context,
and
thus
the
feedback
loop
is
broken.
The
manager
must
then
understand
just
where
in
the
network
the
a7ack
is
taking
place,
and
manually
recongure
the
switches
and
routers.
Remember
the
perimeter
is
thought
to
be
secure,
so
interior
policies
are
not
too
restric*ve.
And
no
single
device
really
has
visibility
into
the
applica*on
ows
themselves.
They
do
what
they
are
designed
to
do,
forwarding
packets
hop
by
hop.
CIOs
recognize
that
current
approaches
dont
scale
or
provide
necessary
responsiveness.
At
the
recent
ONUG
in
NYC,
a7endees
of
the
Overlay
working
group
tagged
end-to-end
monitoring
as
their
top
un-met
requirement3.
SDN
and
network/ow
programmability
oers
a
solu*on.
Deploying
virtual
probes
in-line
with
the
data
trac
results
in
real-*me
applica*on
visibility.
The
IT
manager
can
craU
a
set
of
rules
to
take
immediate
eect
based
on
outlier
analysis,
and
the
network
feedback
loop
is
now
immediate,
bypassing
the
delays
of
human
interven*on4.
The
process
is
as
follows:
Invoke
na*ve
rules
or
automa*cally
pass
to
hosted
intrusion
detec*on
soUware
for
further
analysis
and
ac*on
Addi*onally,
the
informa*on
gathered
and
steps
taken
are
not
just
points
in
*me.
The
ability
to
look
back
in
*me,
a
rich
forensics
capability,
is
also
part
of
the
embedded
solu*on.
Luckily,
there
is
now
an
awareness
that
this
new
class
of
tools
exists,
and
their
role
in
protec*on,
detec*on,
and
response
is
now
a
CIO
impera*ve.
!
!
!
Footnotes:
1.
Managing
cyber
risks
in
an
interconnected
world
-
Key
ndings
from
The
Global
State
of
Informa*on
Security
Survey
2015,
September,
2014,
PWC
2.
2014
Data
Breach
Inves*ga*ons
Report,
Verizon,
April,
2014,
Verizon
Enterprise
Solu*ons
3.
ONUG-Fall-2014-Overlay-WG-UC-Poll-Results.png,
October,
2014,
ONUG
4.
Netvisor: Bare Metal Control Plane, Applica*on Level Analy*cs and Intrusion Detec*on, August, 2014, ACM.
Page 4