Artificial intelligence in the service of network security. Part 1

    In 2017, the Aruba network division of Hewlett Packard Enterprise announced a comprehensive network security solution for Aruba 360 Secure Fabric. This solution provides protection of the corporate network by 360 degrees from threats from outside and inside the network in a constantly changing security perimeter, with the advent of wireless devices and cloud services.

    The solution is based on several key components. First of all, it is a secure and trusted infrastructure. Aruba network equipment has been designed from the very beginning in terms of maximum security. Modern controllers can provide high-speed (up to 100 Gbps) processing of inter-network traffic, taking into account the Deep packet inspection (DPI) function. This is connected with the emergence of a specialized Advanced Monitoring Protocol (AMON), which is designed to transfer a large amount of various information between WLAN controllers and the control system and serves as an additional source of information for security systems.

    The next component of the Aruba 360 factory is the Aruba ClearPass infrastructure access control system, which belongs to the family of software products with the common name Network Access Control (NAC). This product deserves detailed consideration and we plan to devote a separate series of articles to it. Let us begin by considering why in modern conditions it is impossible to rely solely on the perimeter of network security and where the need for SIEM systems comes from.

    The security perimeter is built on the basis of deep integration of partner solutions located at the junction with unprotected networks and the DMZ segment. These are devices that provide firewalling, signature analysis of passing data, work with encrypted traffic, cryptographic audit, etc.

    It is difficult for intruders to overcome the above classic security systems that protect the perimeter of corporate networks, so they often choose a different approach for attacks. The attack can be built on the basis of the introduction and distribution of malicious code through the equipment of company employees. A legitimate user can lose or leave his corporate device unattended, connect to unsafe public WiFi networks. Another common way to create a starting point for an attack is to send a false link to the user or to send him a malicious email attachment, which allows you to subsequently inject the malicious code on the computer of a legitimate user. Recently, we increasingly see examples of malicious actions using IoT devices,

    Sometimes an employee of an organization can become an attacker and begin collecting valuable corporate data for the purpose of blackmail or commercial gain. Last year, extortionists such as WannaCry and Pyetya became actively popular. Before the advent of self-extinguishing ransomware, malware was distributed in three ways: via download from sites, via email or from physical media, for example, from malicious USB devices. Therefore, in order to infect a device or system with an extortionist program, human participation was required in one way or another.

    The attackers learned to use social engineering techniques and in the future these skills will only improve. According to analyst reports, if an organization relies solely on security vulnerability mitigation technologies, this will solve only 26% of the problems. If organizations only use policies to solve security problems, this will eliminate only 10% of problems; and if they use only user training - only 4%. Therefore, it is necessary to control all three aspects of security in the aggregate. Add to this the acute shortage of qualified IT personnel who are able to process information about network events in the shortest possible time and make an unambiguously correct security status verdict.

    In this case, so-called SIEM (security information and event management) systems can help, gather a wide variety of information security events and help network security centers (SOC) to analyze events and build reports. But even they, as it turned out, cannot give all the fullness of the picture due to the laboriousness of information processing by a person and a large number of false positives. According to the analytical reportfor small companies with an income of less than $ 100 million, the investigation into the incident takes about 10 minutes. In companies with the number of employees from 1001 to 5000, for 26 of the 85 companies surveyed, the time to investigate an incident can take from 20 minutes to an hour. The key conclusions from this statistic may be that if each analyst spends so much his time working to investigate a security incident, and there may be 10 or more such incidents, then the work of investigating security incidents can exhaust all available human resources of personnel.

    According to the same report, SIEM systems can generate up to 10,000 events per minute, which include false positives and sometimes require immediate staff analysis. The separation of a signal from noise is not empty words in the case of SIEM systems. In this case, systems with artificial intelligence can come to the aid of security departments. To be continued!

    Also popular now: