Defending networks in the age of cyber espionage

By Gigamon

Ian Farquhar from Gigamon sets the scene today, and how governments can adapt.

“A cyber attacker just has to find the spot you've missed,” says Ian Farquhar, director of the worldwide security architecture team at network security leader, Gigamon.

This is the reality governments face - they have to defend against cyber attacks that could come in from any direction, in a massively complex and open environment.

“Fifteen years ago, most governments wouldn't even admit to having a cyber security attack capability, or a defensive cyber security capability. Nowadays, it's in the news,” Farquhar tells GovInsider. He shares techniques for governments to secure their networks, which are all the more vulnerable in highly hostile cyber space.

The cyber kill chain

“We're starting to see the emergence of cyber attacks as a diplomatic tool,” says Farquhar. But in modern-day cybersecurity, it is much easier to be an attacker than a defender, which creates a power imbalance, he believes. These days, “lots of countries can actually build a credible cyber attack capability and not even require the investment of a traditional military force”, he explains.

He references the Cyber Kill Chain, a framework first proposed by defence company Lockheed Martin which outlines steps for a successful cyber attack. It was in fact inspired by a military technique. One of the steps is “lateral movement”, where attackers “move through the network, going from system to system, compromising things, breaking in”, according to Farquhar.

Attackers can work their way into a system through phishing or malware attacks, preying on unsuspecting staff using machines that are not very well secured - for instance, a help desk. “Traditionally in security, we put all the defenses around the edge; this is called perimeter security. And it makes detecting lateral movement really difficult,” says Farquhar.

Spotting the invaders

Just like a clumsy home invader, as attackers ‘move’ around in an unfamiliar cyber environment, they will generate ‘noise’ that betrays their position. However, your defence systems will only pick up on this ‘noise’ if you are actually looking for it, Farquhar points out.

What’s more, experienced attackers will undoubtedly be prepared for advanced system defences. Once they suspect that they have been ‘seen’ by the system, they will kickstart a series of commands to ‘hide’ their operations, he continues. When that happens, “finding them will be exceedingly difficult”.

Another factor that complicates things is that governments may not realise that networks are not always designed to be secure. “Traditionally, networks were built for speed and reliability. But we never engineered networks for security,” Farquhar says.

Often, IT departments will secure the ‘endpoints’ - mobile devices and laptops for example - and forget about the network itself. Endpoint security tools are at a disadvantage as well - they can typically only process a few gigabits of traffic that is coming through a single point in the network. “One of the fundamental security principles is ‘defence in depth’. Endpoint-only security isn’t that,” Farquhar emphasises.

Network security reimagined

Gigamon’s government customers can “see threats traversing their networks”, allowing them to detect and catch attackers much faster. “What Gigamon does is take all of that network, aggregate the traffic and make it available to every single security tool,” Farquhar elaborates. “It understands what traffic that tool can handle, and gives it visibility - so it makes the tool better.”

Network visibility casts a light onto any kind of network out there - physical, virtual and cloud. This allows IT teams to “take any traffic from anywhere and feed it into any security tool”, explains Farquhar.

And it removes any doubt as to whether an external system can be trusted or not. “If we look at a connection from system A to system B, how do I know that is an attack, or normal business?” Farquhar notes. An innocuous-seeming Facebook profile could in fact be commands to malware, using a fake identity to execute commands and launch an attack, he points out. “Unless I could see inside that traffic, I won't be able to tell the difference.”

In a way, network visibility can help defenders to reclaim some of their power in the cyber world. “If your attacker doesn’t see your tools, capability or response until it lands upon them, then you have made their job much harder for them,” Farquhar remarks. “If you have total visibility of your internal network, the power imbalance between attackers and defenders reverses.”

He neatly summarises his vision for governments of the future. “I want to see them make security a key requirement for their network design - so that networks are built for speed, reliability and security.”

Cybersecurity can be a daunting task for governments today, as attacks are getting much more sophisticated. Only when governments can oversee all the information flowing in and out of their networks can they better defend themselves.