The cybersecurity field is in the early stages of a sweeping shift to intelligent solutions. Artificial intelligence and machine learning are already having an impact in the data center, and nowhere is this more apparent than in network security.
Intelligence and automation are already playing a part in creating and managing smart, real-time microsegmentation strategies, analyzing network traffic to spot suspicious activities or unusual movements of data, and managing access in least-privilege and zero-trust environments.
Boston-based law firm Goulston & Storrs turned to intelligent network security solutions to protect its data center because of a fatal flaw in standard solutions focused on defending the company's perimeter.
"What the traditional approach lacks is what happens after something fails," said John Arsneault, the firm's CIO. "You may not know that you have an intrusion for months, and the intruder will take their time and try to move around on your network and through your hosts and applications and make sense of where the gold is."
The new network security technologies, such as microsegmentation, provide a second line of defense, he said. "If someone does get a hold of user credentials or takes advantage of a vulnerability that your IT processes missed, they really can't get very far."
The problem with microsegmentation is that it takes a lot of time and effort.
"People don't keep up with it and default to having it more open than it needs to be, because it's difficult to figure out what holes need to be punched in firewalls," he said. "Even if you have an extremely diligent network or security engineer to keep up with it manually, it's very difficult."
The lawfirm wanted better network security but without having to add a lot of staff, and it wasn't alone.
"More data, more traffic, more workloads, and yet no more staff to manage network IT has become a familiar cry in the security industry," said Laurence Pitt, security strategy director at Juniper Networks.
These aren't new challenges, he added, but the rate of changes keeps accelerating, increasing complexity and weakening security.
"The network needs to be the first line of defense, before security personnel, by embedding threat intelligence and automation into every router, switch, gateway, and wireless access points," he said.
Segmentation for Security
The idea behind network segmentation is that there are barriers between different parts of the network. The barriers could be physical – "air gaps" that allow no access at all. Or they could be virtual, in the form of firewalls, encrypted tunnels, and similar technologies.
In the modern, fast-changing data center environment, managing microsegmentation effectively without AI-powered tools would be impossible.
"We used to do a release a year" in the past, Tom Hickman, VP of engineering at Edgewise Networks, said. "We did nine releases in seven days in June – and each of those events is a major change for your network technology."
Nowadays, "you have to have technology that's responsive to dynamic changes, that's self-configuring," he said.
Intelligent solutions address these problems on two fronts. First, algorithms are used to map traffic in a network and extract common rules of network behavior for analysts to review. For example, some types of applications talk to some types of backend databases but not others.
The technology used to generate the map is typically some variant of cluster analysis, a machine learning technique that identifies groups of similar items. Similar algorithms are used in e-commerce recommendation engines and in marketing tools that automatically identify customer segments.
This map is then used to generate virtual segments that balance usability and security in a way that matches the data center's appetite for risk.
If new traffic appears that violates the segments but fits within pre-approved policies, the segments are automatically redrawn. If the new traffic doesn't fit within the bounds of what's permitted, it is flagged for further attention by network administrators or security analysts.
The lawfirm Goulston & Storrs decided to go with microsegmentation technology from Edgewise and was able to roll out full microsegmentation without adding staff, said Arsneault. That included coverage of all the company's virtual machines, servers, hosts, users, and all the paths that software can be accessed through – a total of about 125,000 different protections.
"With the machine learning component of it we were able to protect everything with the push of a button, literally," he said. "And it continues to learn the network and will continually update the policies that apply to the microsegmentation. It takes the human component out, which is a huge liability, and cuts down dramatically on the time and effort."
Hybrid Clouds Make Segmentation Even Harder
Meanwhile, the challenge of securing networks continues to evolve. For example, segmentation is much more complex in hybrid environments, said Derek Brost, director of professional services for security at InterVision Systems, an IT services management company.
If a data center is a hybrid operation, with multiple cloud-based and on-premises environments and competing – or incompatible – network technologies, it can be difficult to manage network segments and access controls in an organized way.
Security managers may need to step away from focusing on just the network, he said. "It can be very advantageous to bring the micro-segmentation technology away from just the network and pull it down to the individual endpoint systems."
Cloud Functions Will Force a Rethink
And it doesn't stop there. The next evolution in software development, cloud functions (also known as serverless functions, or lambda functions), takes the difficulty level up another notch.
Cloud functions are tiny pieces of code that run inside a cloud function platform, such as those offered by Amazon, Google, or Microsoft. There's no virtual machine to put security tools in. There isn't even a container.
"I think that's probably the biggest thing that I see on the horizon that's going to force practitioners to really assess their current security paradigms and solutions," said Edgewise's Hickman.
Edgewise can install its microsegmentation technology on virtual machines or containers. "We're just part of the base images. We're cloned, and our agent is there at instantiation time," he said.
Edgewise doesn't currently support cloud functions, he said. "But we have stuff in labs."
Anomalies and Bad Behaviors
Anomaly detection is another example of a popular kind of machine learning algorithm.
In the case of network traffic, for example, the system would watch a data center's normal operations and learn what an average day, week, or month looks like. Once trained, it then looks for new behaviors that don't fit in with that baseline.
For example, if users in the marketing department suddenly start accessing financial databases from computers in Russia, that could be a sign that some accounts have been compromised.
The traditional approach is to look for specific instances of known bad behaviors, known malware, or attempts to access sites known to be associated with hackers.
"The signature-based systems looked for one specific thing, and if they saw it, they flagged it or stopped it," said Zane Lackey, co-founder and CSO at Signal Sciences, a security company. "That was okay when networks and infrastructure and applications didn't change that much. But if you ask any CISO or CTO about their environments today, their environments are changing incredibly quickly."
That requires a generational change in technology, he said, moving from a signature-based model to a behavioral model. "That's the actual shift that has to happen."
However, he warned companies against jumping into some AI-based approaches because the applications may change faster than the AI models can be trained.
"Take a look and see if it's actually solving the challenges that you're seeing," he said.
Smart Access Management
Network security is the fundamental challenge for anyone running a data center today, Lacke said. To meet it, the idea of trusted networks is being replaced by a zero-trust model. "You no longer take trust for granted just because it's on the network."
That means access to devices and applications needs to be very limited and tightly controlled, with a new authentication step with each new connection.
That's a difficult task for traditional access management platforms.
"How do I limit the access to what any individual service actually needs?" Lackey asked. "Every conversation I have with a Global 2000 CISO, this is one of the top-three topics that come up."