DCN November 2016 - Page 21

security aspects. In other words, behaviour is not uni-dimensional. Taking in all of this detail is best accomplished through machine learning, otherwise it is an enormous task and easy to get wrong. Once a baseline of user and device behaviour can be established, the network should be continuously monitored for any significant differences or anomalies. The undertaking does not end there, or it will likely result in the typical flood of security alerts that buries most security and IT groups. Fidelity is essential, so that only those anomalies that are indicative of an attack should be flagged and issued as an alert. Traditional security systems may alert on actual attacker activity, but it is likely buried under a flurry of other alerts that are generally false positives. Finding a meaningful alert in that scenario is a matter of sheer luck. Needle in the haystack Traditional security systems commonly produce 500 or 1,000 daily alerts, or more. Of these, only a very small number might be meaningful. This is essentially the needle in the haystack problem. It is remedied only through an alerting system that is driven by behaviours rather than technical artefacts, and one that further understands an activity as a part of an orchestrated campaign being run by an attacker. A major boost to accuracy is the ability to see ‘the wood for the trees’. A tree by itself may not yield much significance, yet a number of trees that all have related activities may signal some malicious operation. Finally, it is vital to cover the likely attack surface. For the most part this means looking deeply at what users and endpoints are doing. It is essential to see traffic between users and data centres, regardless of whether it is an onpremises data centre under your own management, a private cloud data centre or one hosted in the public cloud. Having visibility only into some data centres inherently creates severe limitations to the ability to uncover an active attack. It is also helpful to see the traffic within a data centre. In this regard, network security and data centre security go hand in hand and are really the same when it comes to detecting attackers. Traditional security has failed miserably in thwarting a data breach, and attackers have held a decisive advantage. Make no mistake, data centres are under attack. Traditional security has failed miserably in thwarting a data breach, and attackers have held a decisive advantage. It’s time to turn the tables on these attackers and regain control of our data centres. 21