In the past two decades, the Internet has become an absolute business necessity. This connectivity has created countless new efficiencies, but it requires enterprises to open themselves up to the outside world to remain competitive.
However, these connections expose organizations to a constantly changing threat landscape, populated by sophisticated attackers who have become experts at hiding malware within packets and applications, as well as launching social engineering attacks such as phishing, spear phishing and watering holes. Simultaneously, data centers are changing to incorporate more virtualization and cloud resources, and end users are sending and receiving data from a growing number of devices and applications (some of which may not even be under an enterprise’s control).
“The data center has had to evolve very rapidly in order to keep up with the capacity that is required,” says JK Lialias, director of product and solutions for Intel Security. “You’re seeing architectures move from physical to virtualized to pubic cloud environments. It’s becoming a data center that is very heterogeneous. You’re looking at an expanding attack surface.”
In other words, threats are advancing at the same time that data centers and enterprise computing environments are becoming increasingly complex and, therefore, more challenging to defend.
To protect their data centers from the sort of headline-grabbing breaches that have popped up with increasing regularity in recent years, many enterprises are turning to next-generation security solutions — the latest versions of familiar products such as firewalls and intrusion prevention systems. These tools incorporate new types of threat intelligence to help organizations sift through their growing traffic and stop malicious attacks in their tracks. But these tools can only help if they’re used effectively.
“A lot of organizations simply aren’t keeping up,” says Michael Osterman, president of Osterman Research. “They’ll install something, and then they may not revisit the technology often enough. Often, organizations will wait until something bad happens, and then they’ll invest in the product to prevent it. Intrusion prevention usually isn’t considered a high enough priority until the intrusion has already happened.”
Security experts say that the latest security solutions truly offer new levels of protection.
“For me, if someone asks what ‘next-gen’ means, it’s using security controls beyond blunt force on known attacks, and instead providing more context,” says Mark Nunnikhoven, vice president for cloud research at Trend Micro. “These tools provide enough information so that you can differentiate well-intentioned business access from an attacker trying to leverage access for malicious purposes. They don’t just allow activities to happen or not. They’re trying to provide additional context around what’s happening.”
“All hype aside, the older generation of solutions is largely signature-based, meaning they identify attacks based on a known attack signature,” says Karen Scarfone, principal consultant at Scarfone Cybersecurity. “Now, attacks are much more fluid, and the older solutions are just not effective anymore at detecting today’s attacks. It’s becoming really important to adopt these next-generation solutions.”
The next-generation solutions being used by enterprises to thwart the most advanced cyberattacks include the following.
Next-generation firewall (NGFW): The latest firewalls from vendors such as Cisco Systems, McAfee, Check Point and WatchGuard include all of the features of standard firewalls, including packet filtering, network address translation (NAT), stateful protocol inspection and virtual private networking (VPN). In addition, they offer advanced features such as application awareness and control, identity awareness and integration with intrusion prevention systems.
The ability to filter traffic not only by IP address but also by application can help bring a more nuanced approach to security, says Osterman. For example, an enterprise might want to allow its employees to use sites such as Facebook, while blocking associated applications that might bring intrusion attempts. “The ability for fine-grained intrusion detection and intrusion prevention is important,” Osterman says. “It’s looking for specific threats, rather than the crude blocking of IP addresses.”
Integration with an organization’s directory allows enterprises to tie security policies to specific users and groups. Also, NGFWs use cloud-based reputation services to block traffic from dangerous sources, and give real-time and historical visibility into user activity.
On a practical level, next-generation firewalls not only do a better job recognizing and blocking malicious traffic, they also do a better job letting benign traffic through, preventing the all-too-common scenario of organizations disabling security features in order to accommodate legitimate business activity. (An Intel Security report indicates that between 20 percent and 30 percent of organizations have disabled functions such as antivirus, data filtering and user visibility to avoid affecting network performance.)
Next-generation intrusion prevention system (NGIPS): “The capability to look at a network packet and say whether it is benign or not has always been available in IPS in a basic form,” says Nunnikhoven. “What we’re seeing now is the ability to string together sequences of packets. It’s finding more sophisticated attacks. It’s also leveraging much more threat intelligence and awareness.”
Much like NGFW, next-generation IPS uses application awareness and an understanding of context in order to separate legitimate threats from mere noise. For example, an NGIPS might upgrade an “alert-only” event to a “block” event based on data from a number of sources, including vulnerability scans and IP reputation intelligence.
Next-gen intrusion prevention systems for virtual machines bring this same level of security to a virtualized data center. Cisco NGIPSv for VMware, for example, can alert enterprise security teams to vulnerabilities caused by mistakes in setting up the virtualized architecture (if a virtual production environment and developmental environment are accidentally connected, for instance).
Big Data analytics: In early 2015, FBR Capital markets predicted a 20-percent spike in next-generation cybersecurity spending, spurred in part by software tools that utilize Big Data analytics to identify threats. Often, these tools are referred to as security information management (SIM) or security information and event management (SIEM) solutions.
“SIM delivers fast insight through analytics running on very powerful hardware,” says Lialias. “It’s an absolutely critical piece for securing the data center.”
For example, McAfee Enterprise Security Manager — an SIEM tool — is designed to store hundreds of millions of data points, which are indexed, normalized and correlated to detect a wide range of risks and threats.
Web gateway: While the “next-generation” description is not commonly applied to web gateways, experts say these solutions have also made a number of advances in recent years. Like many other advanced security products, the differences largely boil down to the ability to incorporate context into threat detection.
“It used to be that these products would generate an alert whenever they saw an attack on your web server,” says Scarfone. “Suppose you’re running a Microsoft web server, and someone is launching Apache attacks. That’s just noise. It’s not that the server is not being attacked, but the attacker doesn’t know what they’re doing, and the attacks are never going to work. We want to give those a lower priority. A next-generation web gateway knows which vulnerabilities a server has, so when it sees unusual activity coming in, it can more accurately prioritize the organization’s response to that activity.”
For more coverage of data center technology, check out, Automation and Analytics Emerge as Key Internet of Things Use Cases.