Using big data for tactical security networks: SafeNet

Networks that use big data to automatically adapt and reconfigure themselves in response to attacks could be just around the corner.
Written by Michael Lee, Contributor

Network devices are able to produce significant amounts of information, which could potentially be used to help defend against an attack in real-time and as it happens, but while analysts have only really been using the information to create statistics and pretty graphs, the concept of using the data to create tactical, self-defending networks is now beginning to emerge.

In an interview with ZDNet, SafeNet VP and Chief Technical Officer Russell Dietz said that, while networks of this sort are not yet here today, the technology to implement is just around the corner.

"It's definitely starting to pick up on the horizon right now. One of the biggest things that you can see going on, if you look at the overall landscape, is you have the concept of a virtual network infrastructure now being deployed."

He said the combination of this virtual infrastructure and the use of big data gives organisations the ability to react quickly and adjust infrastructure to deal with attacks.

According to Dietz, a physical network can be under attack for a significant amount of time before it can be reconfigured to mitigate attacks or protect users, but a virtual network would allow a segment of the network to be isolated so that it is unaffected, buying time for administrators to take action.

"You're going to start to see the ability to change the infrastructure as well, and then come back and augment the security solutions along the line, so you can put that [attacked] service back online in a secure way."

However, simply parsing through the data provided from networked devices and using it to modify network configurations on the fly is not enough.

"Another element that's critical is beefing up what you're doing in the identity and access management space, because you're not going to want to take the network out. You're going to want to create an isolated zone, and the only way you're able to do that is with some sort of an authenticated device or an authenticated collection of users."

Authentication and identification also perform double duty in helping to ensure that the data being used to reconfigure the network has not been tampered with. Just as hackers have taken advantage of the latest technology to fuel their activities, Dietz said that it was necessary to ensure that the data the network was being fed also wasn't being tampered with, which could force the network into a configuration that might benefit attackers.

"If you're using a posture of making decisions about positioning tactical protection techniques based on data, you can be rest assured that the cyber-attackers will go after data that's making the decisions about plugging the holes."

Dietz said that it was likely that a hacker aiming to do so would go for the weakest link in the chain: direct attached storage, where data is collected and pooled together. He said that, if left unencrypted, hackers could modify the data to cover their tracks, or trigger the network to react in a particular way.

"When the data is then redistributed and reviewed, it's very simple for that data to be removed from the equation because it doesn't match some of the data that was collected at some of the other points when it was being analysed. And now the hacker has basically obscured what he's doing by literally putting a level of question into the results that were collected from a couple of the telemetry devices in the network," he said. He reaffirmed that, in addition to ensuring that devices are who or what they say they are, the data itself needs to be encrypted to avoid tampering as it is collected for analysis.

"Definitely, for a tactical security network that is using real-time data and big data to produce results, you'll have to have a very good encryption posture to ensure you have valid data to take action [with]."

Editorial standards