The Diminishing Efficacy of Network Security Solutions
I am an old-school network security guy, and it pains me to see the rapid decline of network security solutions due to the advancement of detection evasion techniques. Back in the day, you could expect most malicious traffic to be clearly visible, and you just had to worry about making sure your signatures and blacklisted IPs/domains were up to date for the latest threats.
If you really wanted to be proactive, you could block communication to/from entire CIDR blocks belonging to countries you do not do business with and well-known for malicious intent. This would cut down the volume of attacks by orders of magnitude.
Well, oh how times have changed. We live in a completely different world now. These days you can count on the reverse being true.
Most traffic is encrypted and/or tunneled, domain generation algorithm (DGA) has made site reputation almost meaningless and it is all too common for attackers to proxy through a network of compromised domestic machines to make the network traffic look benign and subvert detection or blocking by region.
For those who are not aware of DGA, it spins up thousands of single-use, pseudo-randomly generated domain names for malware command and control proxy. It is well known that significant percentages of cloud services are being used for this purpose.
While it is true that if a site is listed as bad, it is nice to be able to block connection attempts to it. This is still helpful. But, if it is listed as good, it does not mean it is good. The concept of “good” traffic has become very muddled and unknowable.
In fact, all of the uncertainty on the network has pushed detection down to the host level, for which there is an increasing array of new solutions almost weekly. But, that is a topic for another blog.
Fear not my network friends, all is not lost. The increasing efficacy of SSL decryption solutions are breathing new life and vitality into network inspection solutions. SSL decryption has become to network traffic inspection devices what bread is to sandwiches.
The most effective way to do this is to decrypt the traffic, pipe it to a network for all inspection devices (IDS, DLP, etc.) and enable visibility to all devices simultaneously. Remember, you only want to have to decrypt the data once. Having multiple inspection devices in line is a non-starter.
Further, often times this creates a need for network ingress/egress consolidation to aggregate the traffic through a handful of SSL decryption and network inspection devices. These solutions are costly and it makes sense to aggregate. But, make sure you still have at least 2 sites for your business continuity/disaster recovery plan.