Threat Intelligence Blog

Posted August 15, 2019

The introduction of the cloud, mobility, and Internet of Things (IoT) means organizations are moving at greater speeds and agility than ever before to meet the stringent demands of the business. As network topologies and technologies evolve, so too must the security solutions that provide protection.

Operational advancements in IT efficiency and flexibility have resulted in a “knock-on” effect, requiring changes in how cybersecurity must be applied to those environments. Cloud services and hosts have moved the traditional network perimeter from a statically defined one that is typically associated with a physical location to a perimeter that is virtually defined by the business function, group, and content required. Highly mobile workforces introduce an additional level of complexity that requires protection of those mobile devices and users when outside of their organization’s traditional protected network. IoT devices introduce additional requirements on segmentation from critical network services and business functions. Widespread encryption mechanisms, while providing data confidentiality, increase the difficulty for protection mechanisms required for threat detection and threat response.

Organizations addressing these evolving issues are often limited to single point solutions, requiring customers to piece together various technologies in the attempt to create an effective security posture. However, as many organizations come to find out, investing in multiple single point cybersecurity solutions brings many technical and operational challenges including integration issues, costly professional services, capability gaps, scalability, and monitoring challenges. Effectively and efficiently combatting cyber threats requires a coordinated effort across security architecture and technology – but how?

Defining Terms: What is a Cybersecurity Fabric?

A Cyber Defense Fabric is an architectural approach to security, enabled by open standards and protocols, which allows an organization to connect and leverage different security capabilities into a unified and coordinated security response capability. This can then be applied to protect an organization’s entire business ecosystem including servers, desktops, network, and related business applications. Once combined and fully integrated, an organization’s network and security infrastructure could logically be represented shown in Figure 1.

Cd Blog 1

Figure 1: Cyber Defence Fabric

The fabric aims to solve the following challenges and more:

  • Enhanced visibility across cyber ecosystem
  • Enable more cohesive and robust security posture
  • More effective threat detections
  • Threat responses at the most effective and appropriate points in the network
  • Ease integration pains

How Cyber Defense Fabric Solves Organization Challenges

A single homogeneous solution, like a Cyber Defense Fabric, provides visibility at various points throughout the cyber ecosystem (Figure 2), even micro-segments, in the network. This allows the fabric controller to correlate and aggregate data across all points of visibility to gain a greater understanding of what is happening on the network and across various levels, more than any single point solution could provide – the more you can see, the more you can do.

Cd Blog 2

Figure 2: High Level Diagram

Detections and events may be aggregated, correlated, shared, and combined in real-time across fabric components to more effectively drive mitigation and response capabilities. Ultimately, providing a more robust security posture. Events detected at a single point in the fabric could permeate a threat response at any or all of the fabric components. Fabric network component placement allows for visibility into both north-south and east-west traffic. Fabric components on both the network and endpoint enable the ability to correlate anomalies seen in both locations for more effective threat detections. For example, detecting anomalous network traffic originating from an internal host in the network while correlating user and process information running on that host may provide a more complete picture of what is going on pointing to potential data exfiltration by a specific user.

Further, the fabric possesses the ability to combine information from various sources in real-time to correlate events and apply more accurate responses to even the most sophisticated threats at the appropriate point(s) in the cyber ecosystem. Unlike single point solutions, detections in the network may trigger responses at the host, and conversely, detections on the host may trigger responses in the network. Coordinated responses may be distributed throughout the fabric allowing mitigations to be applied to all fabric components or defined zones, not just the single component that performed the detection.

Adopting open standards eases integration pains. Offering a software defined networking (SDN) compatible software-based form factor enables deployments across commodity hardware, virtual, containerized, and cloud deployments to adhere to any organization’s environment and infrastructure no matter the physical topology or cloud integrations. A solution like this could leverage well-known open source tools, such as Zeek mentioned in our previous blog.

If you would like to discuss more, please contact me on Twitter @tweet_c_d.


Additional Posts

Threat Intelligence Gateways: A Useful Adjunct to Overworked Perimeter Security

Comparative research shows the relative strengths and weaknesses of five TIG vendors and which ...

The Mitre ATT&CK Conference

This presentation will describe how to leverage Zeek to report on ATT&CK TTPs, raw events and other ...