You’ve done everything to secure your network, and you still face threats. That’s what most companies say about their network security, and they’re half right. Yes, they still face threats, but they haven’t done everything to deal with them. In fact, most organizations don’t really have the two foundations in place for true network security.
When I ask companies if they’ve done a top-down analysis of network security, they usually say they do it every year. When I ask what this assessment entails, they say they are looking for indications that their current strategies have failed. They build up another layer, which is like putting a second bandage on a cut.
Forgive me, but that doesn’t sound very “top-down”. Modern network security should start with the simple requirement that no one should be able to access anything they are not supposed to. This is Charlie, who oversees parking lot maintenance. Suddenly, Charlie is reviewing the sales records for the last quarter or checking the stock levels of certain products. Are these products perhaps wearing down the asphalt, or is this a sign of a Charlie’s threat or malware?
That’s not just true for the Charlies in our businesses, either. In the data center, an application monitors the status of the gates of the headquarters campus. As a result, this application accesses a module associated with the payroll system. Unless we think doorknobs are on the payroll, that should be a warning sign as well. IP networks allow connections, which means they are not secure.
Login Permissions Security
The problem with login permission security is that it is impractical because it is complicated. Start with “Charlie”, not as an example, but as an individual. Because Charlie thoughtlessly refused to be implanted with a MAC layer address chip, he has no specific network identity. Do we assume that a device assigned to it serves as an indicator of corporate identity? So what if Sandy sits down at Charlie’s desk to make some quick tweaks to the app? She shouldn’t inherit Charlie’s privileges, but she probably does.
Maybe Sandy gets a promotion or a new assignment. What she has access to has now changed, but NetOps forgets to update its magic login monitor, so Sandy’s first report is overdue. Meanwhile, NetOps is unhappy because every time someone’s role changes, it has extra work connecting them to everything they need and sorting out innocent errors that generate unauthorized access. They decide to change the system so that each worker has a “role” that has login permissions. Now we just assign each their role, and all is well…maybe.
The concept of “role” is very useful in limiting the number of explicit login authorization policies that a company needs. However, it depends on two things. First, role rights must be strictly defined to ensure that no one has access to things that their job does not warrant. Having a role hierarchy can help by eliminating redundant policy statements. Second, the validation of the user’s identity must be strong, so that they are assigned the correct role and someone without a role has no access.
Explicit login authorization is great if it is faithfully maintained at the level of identity, role, and login policy. Even then, with practices to tie all these dots together, it is always possible for a mistake to be made. What could be done to reduce this risk? The answer is artificial intelligence (AI) and machine learning (ML).
AI/ML traffic analysis
All use of the network creates traffic and traffic patterns. Malware that searches for vulnerabilities is an application and also generates a traffic pattern. If AI/ML can monitor traffic patterns, it can detect a malware probe from normal application access. Even if malware infects a user with the right to access a set of applications, it is unlikely that the malware could duplicate the traffic pattern generated by the user with legitimate access. So AI/ML could detect a difference and create an alert. This alert, like a log alert on unauthorized logins, would then be tracked to validate the security status of the user’s device.
The advantage of AI/ML traffic pattern analysis is that it can be effective even when the identity of the user is difficult to pinpoint, so that explicit login authorization is problematic. In fact, you can perform traffic pattern analysis at any level, from individual users to the entire network. Think of it as involving some sort of source/destination address logging process; at some point, have I ever seen packets coming from or going to this address or subnet? If this is not the case, a more detailed analysis may be necessary, even an alert.
A branch is populated with workers in a variety of roles, but a branch rarely contains workers from all possible roles. This means that since application/data access is normally assigned based on what the worker is supposed to do, many applications should never be accessed from certain branch offices. An analysis of AI/ML traffic patterns at the branch level could detect an attempt to access an application that no one should be trying to use. Unusual traffic patterns at the branch level, or for subnets within a corporate office, could be used to flag a group of workers for a more rigorous security audit, either manually or through further analysis. depth of traffic per worker.
AI/ML could also spot differences in a worker’s behavior. Even if a worker isn’t accessing anything they aren’t entitled to, a major change in their traffic pattern could indicate malware for sure, but it could also indicate a worker doing a bit of app browsing . This may indicate that the worker is disgruntled and may pose a security threat, but also that the worker has a different assignment or job that requires different access permissions, and that NetOps should review their login policies .
Connection authorization or AI/ML traffic analysis policies will greatly advance network security, but together they will create a solid foundation for securing not only networks, but also data and applications connected to networks. If you start your security plan with these two essential technologies and use them correctly, you could improve security. Maybe you could even rip off a few of those bandage layers.
Copyright © 2022 IDG Communications, Inc.