Threat Intelligence Blog

Posted February 6, 2019

Today, the cybersecurity industry is faced with an increasingly capable set of threat actors using advanced strategies, tactics, and techniques. Threat actors are able to leverage advanced tools to apply them within multi-phased and multi-pronged campaigns to reach their objectives.

While defenders are improving their ability to model, visualize, and understand those attack strategies as well as identifying gaps in their organizational defensive posture, there remains significant challenges in how defenders are approaching the response to these sophisticated attacks.

If you are interested in learning more about attack modeling, I highly recommend checking out our recent webinar on Modeling Adversarial Behavior, as well as learning more about an important framework MITRE ATT&CK.

One approach to addressing some of those challenges embraces key tenants from Software Defined Networking (SDN), which can provide significant gains over existing approaches.

First, let me provide a short primer on SDN fundamentals.

Conceptually, the SDN architecture centralizes control of a network by separating the control logic from the network data-plane to off-device computer resources.

There are three layers to an SDN architecture.

SDN Cybersecurity

Application Layer. The business applications relying on the network for connectivity and security.

Control Layer. The network policy and control plane separated from the networking forwarding infrastructure.

Infrastructure Layer. Network/Data-plane forwarding.

 

 

The benefits of updating your approach are similar to those that drove the original adoption of SDN for networking. These three primary drivers for SDN had a significant impact on the network industry and similarly are key drivers for the cybersecurity industry today.

  1. Reduced Complexity. Prior to SDN, (Network) changes were complicated, hard to deploy and manage
    An early pioneer in SDN, Martin Casado was quoted in a 2011 presentation saying, “Adding or moving a machine was like an act of aggression…In one network, we had to update eight points of state any time that we added or moved a machine”. Casado was discussing the network for separation of control from the network forwarding plane.
  2. Reduced Capex. SDN Approaches Enabled Lowered CapexBy introducing SDN approaches to programming, the operation of the network can be accelerated and the hardware required to run the control functions could be substituted with lower cost, non-proprietary systems.
  3. Reduced Opex. SDN Approaches Enabled Lowered Opex
    Separation of control in SDN enabled more effective policy management that supports finer-grained control.

Digging a little deeper, I want to highlight the advantages of SDN and how they apply to the cybersecurity industry at-large.

Advantage

SDN Benefits SDN Approach to Security Benefits
Directly programmable Network policy is directly programmable due to the separation of control functions from the forwarding functions. Automation tools are leveraged (e.g. openstack (https://www.openstack.org/), puppet, chef) to enable this programmability. The need for direct programming of security functions and orchestration through automation for real-time response is a must with security detection and response becoming vital.

 

As evidenced by the growing needs such as OpenC2 (https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=openc2) , CACAO (https://tools.ietf.org/html/draft-jordan-cacao-charter-03).

Centralized Management Network intelligence is logically centralized in the SDN controller maintaining a global view of the network allowing applications and policy engines to see a single logical network. Cyber threat intelligence provides an important global view of threats to organizations, their business functions, and vulnerabilities.

 

Combining this centralized view of intelligence with centralized management to easily and quickly roll-out threat response is a significant goal with centralized security management.

Reduce CapEx Limits the need to purchase purpose-built, ASIC-based, networking hardware and allows pay-as-you-grow expansion. As with the network, custom purpose-built security appliances are limiting on their ability to easily scale and be deployed in a manner that fits the business.

 

Embracing a SDN-approach to security will yield similar advantages of scale, flexibility, and a reduction on the need for custom expensive hardware in certain locations of the security posture of organizations.

Reduce OpEx Enables algorithmic control of the network and its elements enabling easier design, deployment, management, and scaling of the network itself. Ability to automate provisioning and orchestration optimizes service availability and reliability by reducing management time and opportunity for human-error. As security requires detection and mitigation in a variety of locations (logical & physical), the operational challenges to deploy, manage, and scale security in a highly fluid environment must adjust to a similar model. Operational inefficiencies in security have a direct impact on the risk to the business. By optimizing or reducing operational expense in specific areas, adopting SDN can improve security.

 

Example: “Threat Intelligence Must Move Closer to Threatening Activity, With a Prevention Focus” – Gartner Emerging Technology Analysis: Threat Intelligence Gateways

Deliver Agility and Flexibility Ability to rapidly deploy new applications, services, and infrastructure to meet business challenges and objectives. Adversaries do not remain static. As their approaches adjust, so too must the security approaches to detection and mitigation.

 

Deploying new capabilities in security can no longer take weeks or months. Just as the industry struggles to keep up with the latest round of vulnerabilities and the ability for an IT organization to patch for those, embracing SDN agile methods to deploy and operationalize security functions becomes an important capability to enhance their risk posture.

Enable Innovation Ability to create new applications, services, and business processes to support new revenue streams and more value in the network itself.

As new applications and business functions are introduced, there is a similar opportunity to introduce new security applications that take advantage of the fluid approach to the network.

 

What are some of the impacts of SDN on security?

  1. User Data Flows are separated from Control Instructions: Once separated, data flows can be tailored and altered as necessary both for network connectivity reasons as well as security enhancements. The abstraction of the data plane enables greater ability to define security policies based on that abstraction and enforcement of the policies.
    Network control functions can be run on no-frills servers: Similarly, security capabilities for either detection or mitigation can be separated from inspection and mitigation/control where those mitigation/control functions run on more generic x86 architectures.
    Applications now have addresses and are now attackable… As a primary benefit of containerized, distributed environments, such as provided by Docker or CoreOS containers within an orchestration platform. Similarly, security must be provided for the applications themselves, not the systems that hosted those applications solely.
  2. Maximize investment in private cloud/virtualized servers: As organizations embrace virtualization and the ability to automatically stand up compute and storage to meet the business demands, this introduces an inherent need for security of those virtualized assets automatically be provisioned, deployed, and managed just like the virtual asset itself.
    Greater control and security by micro-segmentation: Micro-segmentation of the network and business processes allows organizations to provision specific connections between users and their business applications running in the data center. This approach enables organizations to have specific security settings per user, per application, and per business process. This leads to fine-grained security policies in the enterprise and adopting security to fit with this new approach to network security can be more easily applied to provide the fine-grained control and more importantly provide enhanced security of the micro-segments.
  3. Management of the Internet of Things (IoT) and their security: As IoT devices are increasingly adopted by organizations, the challenges of segmenting business processes and the associated applications from the traffic associated with IoT becomes even greater. The role of security approaches that adapt to IoT in the environment requires a much more fluid and agile approach to defining policies and monitoring the enforcement of those policies.
  4. Remote/Branch connectivity and its security: Traditionally, larger organizations with branch offices would connect those offices with a single connection. As business evolves, network and business application needs for those branch offices have changed to require multiple types of network connections, as well as management of those networks. Security for the branch office and the business applications can take advantage of the agility and automation that SDN-based approach allows to the network but can also be applied to the security services.

SDN has had both a direct and indirect impact on the networking industry and continues to provide a beacon to how networks are done today. An SDN-based security strategy will have a similar impact to the security industry. At LookingGlass, we are embracing SDN and incorporating these capabilities into how we collect, aggregate, and deploy threat intelligence.

If you would like to discuss more, please contact me on Twitter @tweet_a_t.

 

Additional Posts

Nullcon International Security Conference

Come and join Lookingglass CTO Allan Thomson as he presents, Introduction to STIX/TAXII 2 ...

The Cost of a Connection

LookingGlass Vice President, Customer Support Group, discusses why social media and in particular, ...