Perimeter Security has Perfect Amnesia

Written by

While perimeter security has its place in a defense-in-depth security strategy, the reality is that perimeter security has the same perfect amnesia as a goldfish swimming in circles in its bowl. Each time a goldfish circles the perimeter of the bowl, it has no memory of its prior journey. Similarly, each time perimeter security sees a threat or suspicious behavior, it is as if it is seeing it for the first time.

Perimeter security was never designed to remember. When it inspects traffic, it can’t remember whether the behavior it is seeing has been repeated 10, 100 or 1,000 times. As a result, perimeter security is not optimized to identify the low and slow behavior of a persistent and stealthy attacker. For example, when an attacker attempts to hide his command and control traffic in Google Gmail, perimeter security systems will not notice the hundreds or thousands of messages buried in the act of saving draft messages.

Hence the statement: perimeter security has perfect amnesia. Perimeter security inspects a group of packets containing data for an approved application on an approved TCP port and forwards them on even if the traffic is somewhat suspect. When it inspects another group of packets with more hidden command and control communication, it will be like it is seeing it for the first time and will forward the traffic just like the prior group of packets. Perimeter security is not equipped to detect the threat within the stream of packets because that requires memory over hours, days or weeks to catch the persistent attacker.

When organizations purchase perimeter security products like firewalls, intrusion prevent systems or inline malware sandboxes, latency is an evaluation criterion. Organizations like NSS Labs test latency in competitive product reviews. Firewalls with lower latency will deliver faster application response time, and firewalls with higher latency will result in slower response times.

Perimeter security is designed to prevent the bad guys from getting into your network, but it is failing more and more frequently. It is designed to look at a group of packets, inspect them for threats, and immediately decide to either forward them on to their final destination or drop them. The processing and decision needs to be completed in microseconds, with best-in-class products adding less than 50 microseconds of latency. A NSS Labs report specifically states “in-line security devices that introduce high levels of latency are unacceptable, especially where multiple security devices are placed in the data path.” 

In the long con of a modern cyber-attack, the attackers operate as stealthily as possible, but like Ocean’s Eleven, there is always something that can give away their behavior

Today’s modern cyber-attack plays out over the weeks or months that follow the perimeter being breached; as was the case with the breaches that made recent big news including JP Morgan, Anthem and Sony Pictures. These weren’t smash-and-grab jobs, they were the work of patient attackers who have done their homework and think fast.

 These attackers aren’t Bonnie and Clyde committing a quick robbery, these attackers are committing a long con like Ocean’s Eleven. Melanie Teplinsky recently published an Opinion in Passcode that is on point: What cybersecurity pros can learn from 'Ocean's Eleven'.

In the long con of a modern cyber-attack, the attackers operate as stealthily as possible, but like Ocean’s Eleven, there is always something that can give away their behavior. While the anomaly in the behavior may not be enough to sound off an alarm, stringing several observations together helps to identify what the attacker is doing.

In the Gartner research note Prevention is Futile in 2020:  Protect Information via Pervasive Monitoring and Collective Intelligence, they state, “Information security can no longer prevent advanced targeted attacks; and too much information security spending has focused on the prevention of attacks and not enough has gone into security monitoring and response capabilities.”

Advanced threat defenses to detect modern-day attacks need to monitor traffic deep inside a network, remembering and correlating anomalous behavior of hour, days or weeks. 

Oliver Tavakoli is Chief Technical Officer of Vectra Networks. Oliver is a technologist who has alternated between working for large and small companies throughout his 25-year career. Prior to joining Vectra Networks, Oliver spent more than 7 years at Juniper as Chief Technical Officer for the security business. Oliver joined Juniper as the result of its acquisition of Funk Software, where Oliver was CTO and better known as developer #1 for Steel-Belted Radius. Prior to joining Funk Software, Oliver co-founded Trilogy Inc. and prior to that, he did stints at Novell, Fluent Machines and IBM. 

What’s hot on Infosecurity Magazine?