Artificial intelligence in the service of network security. Part 1
In 2017, the Aruba network division of Hewlett Packard Enterprise announced a comprehensive network security solution for Aruba 360 Secure Fabric. This solution provides protection of the corporate network by 360 degrees from threats from outside and inside the network in a constantly changing security perimeter, with the advent of wireless devices and cloud services.
The solution is based on several key components. First of all, it is a secure and trusted infrastructure. Aruba network equipment has been designed from the very beginning in terms of maximum security. Modern controllers can provide high-speed (up to 100 Gbps) processing of inter-network traffic, taking into account the Deep packet inspection (DPI) function. This is associated with the emergence of a specialized Advanced Monitoring Protocol (AMON), which is designed to transfer a large amount of various information between WLAN controllers and the control system and serves as an additional source of information for security systems.
')
The next component of the Aruba 360 factory is the Aruba ClearPass infrastructure access control system, which belongs to the family of software products with the common name Network Access Control (NAC). This product deserves detailed consideration and we plan to devote a separate series of articles to it. Let us begin by considering why in modern conditions it is impossible to rely solely on the perimeter of network security and where the need for SIEM systems arises from.
The security perimeter is built on the basis of deep integration of partner solutions located at the junction with unprotected networks and the DMZ segment. These are devices that provide firewalling, signature analysis of passing data, work with encrypted traffic, cryptographic audit, etc.
It is difficult for attackers to overcome the above classic security systems guarding the perimeter of corporate networks, so they often choose a different approach for attacks. The attack can be built on the basis of the introduction and distribution of malicious code through the equipment of company employees. A legitimate user can lose or leave their corporate device unattended, connect to unsafe public WiFi networks. Another common way to create a starting point for an attack is to send a false link to the user or send him a malicious email attachment, which allows you to subsequently inject the malicious code onto the computer of a legitimate user. Recently, we increasingly see examples of malicious actions using IoT devices, the main weak points of which are the “default” settings and old software with well-known vulnerabilities (for example, hardly anyone installs patches on IP cameras running Windows 95 or MS DOS).
Sometimes an employee of an organization can become an attacker and start collecting valuable corporate data for the purpose of blackmail or commercial gain. Last year, extortionists such as WannaCry and Pyetya became actively popular. Before the advent of self-extinguishing ransomware, malware spread in three ways: via download from sites, via e-mail or from physical media, for example, from malicious USB devices. Therefore, in order to infect a device or system with an extortionist program, human participation was required in one way or another.
The attackers learned to use social engineering techniques and in the future these skills will only improve. According to analyst reports, if an organization relies solely on security vulnerability technology, this will solve only 26% of the problems. If organizations only use policies to solve security problems, this will eliminate only 10% of the problems; and if they use only user training, only 4%. Therefore, it is necessary to control all three aspects of safety in aggregate. Add to this the acute shortage of qualified IT personnel who are able to process information about network events in the shortest time possible and make an unambiguously correct security status verdict.
In this case, so-called SIEM (security information and event management) systems can help, gather a wide variety of information security events and help network security centers (SOC) analyze events and build reports. But even they, as it turned out, cannot give all the completeness of the picture due to the laboriousness of information processing by humans and a large number of false positives. According to an analytical report for small companies with an income of less than $ 100 million, the investigation of the incident takes about 10 minutes. In companies with the number of employees from 1001 to 5000, for 26 companies out of 85 surveyed, the time to investigate an incident can take from 20 minutes to an hour. The key findings from this statistic may be that if each analyst spends so much of his time working to investigate a security incident, and there may be 10 or more such incidents, then the work of investigating security incidents can exhaust all available human resources for personnel.
According to the same report, SIEM systems can generate up to 10,000 events per minute, which include false alarms and sometimes require immediate staff analysis. The separation of a signal from noise is not empty words in the case of SIEM systems. In this case, systems with artificial intelligence can come to the aid of security departments. To be continued!
The solution is based on several key components. First of all, it is a secure and trusted infrastructure. Aruba network equipment has been designed from the very beginning in terms of maximum security. Modern controllers can provide high-speed (up to 100 Gbps) processing of inter-network traffic, taking into account the Deep packet inspection (DPI) function. This is associated with the emergence of a specialized Advanced Monitoring Protocol (AMON), which is designed to transfer a large amount of various information between WLAN controllers and the control system and serves as an additional source of information for security systems.
')
The next component of the Aruba 360 factory is the Aruba ClearPass infrastructure access control system, which belongs to the family of software products with the common name Network Access Control (NAC). This product deserves detailed consideration and we plan to devote a separate series of articles to it. Let us begin by considering why in modern conditions it is impossible to rely solely on the perimeter of network security and where the need for SIEM systems arises from.
The security perimeter is built on the basis of deep integration of partner solutions located at the junction with unprotected networks and the DMZ segment. These are devices that provide firewalling, signature analysis of passing data, work with encrypted traffic, cryptographic audit, etc.
It is difficult for attackers to overcome the above classic security systems guarding the perimeter of corporate networks, so they often choose a different approach for attacks. The attack can be built on the basis of the introduction and distribution of malicious code through the equipment of company employees. A legitimate user can lose or leave their corporate device unattended, connect to unsafe public WiFi networks. Another common way to create a starting point for an attack is to send a false link to the user or send him a malicious email attachment, which allows you to subsequently inject the malicious code onto the computer of a legitimate user. Recently, we increasingly see examples of malicious actions using IoT devices, the main weak points of which are the “default” settings and old software with well-known vulnerabilities (for example, hardly anyone installs patches on IP cameras running Windows 95 or MS DOS).
Sometimes an employee of an organization can become an attacker and start collecting valuable corporate data for the purpose of blackmail or commercial gain. Last year, extortionists such as WannaCry and Pyetya became actively popular. Before the advent of self-extinguishing ransomware, malware spread in three ways: via download from sites, via e-mail or from physical media, for example, from malicious USB devices. Therefore, in order to infect a device or system with an extortionist program, human participation was required in one way or another.
The attackers learned to use social engineering techniques and in the future these skills will only improve. According to analyst reports, if an organization relies solely on security vulnerability technology, this will solve only 26% of the problems. If organizations only use policies to solve security problems, this will eliminate only 10% of the problems; and if they use only user training, only 4%. Therefore, it is necessary to control all three aspects of safety in aggregate. Add to this the acute shortage of qualified IT personnel who are able to process information about network events in the shortest time possible and make an unambiguously correct security status verdict.
In this case, so-called SIEM (security information and event management) systems can help, gather a wide variety of information security events and help network security centers (SOC) analyze events and build reports. But even they, as it turned out, cannot give all the completeness of the picture due to the laboriousness of information processing by humans and a large number of false positives. According to an analytical report for small companies with an income of less than $ 100 million, the investigation of the incident takes about 10 minutes. In companies with the number of employees from 1001 to 5000, for 26 companies out of 85 surveyed, the time to investigate an incident can take from 20 minutes to an hour. The key findings from this statistic may be that if each analyst spends so much of his time working to investigate a security incident, and there may be 10 or more such incidents, then the work of investigating security incidents can exhaust all available human resources for personnel.
According to the same report, SIEM systems can generate up to 10,000 events per minute, which include false alarms and sometimes require immediate staff analysis. The separation of a signal from noise is not empty words in the case of SIEM systems. In this case, systems with artificial intelligence can come to the aid of security departments. To be continued!
Source: https://habr.com/ru/post/423537/
All Articles