Cyber Defense Review

Maintaining Massive Networks Through Automation And Management Tools

By 2LT Alexander Molnar | March 28, 2016

Modern computer networks are difficult to maintain, monitor, and protect. Their boundaries are amorphous, they process massive amounts of data, and cyber-attacks occur daily, which require real-time responses.  When computer networks were first utilized in the 1970s by the Department of Defense, they were tools used to exchange data for research purposes.[1] These networks were largely static compared to todays. Now, networks are constantly changing, and are used for more than just communication, and include shopping, finances, and data storage. The lines for where a network begins and ends are often blurred as devices from employees, customers, and contractors are connected and disconnected on a daily basis. Not knowing a networks complete layout makes monitoring difficult. Additionally, instead of just computers connecting to a network, we now have tablets, smart phones, and household appliances. Each new type of device in the network communicates and operates differently, adding another degree of complexity regarding network monitoring.

A tool that may satisfy network monitoring today may be ineffective in the near future as emerging technologies make their way to the marketplace. Also, policies such as ‘Bring Your Own Device’ (BYOD) and teleworking increase security concerns.[2] Where before an information security staff would only have to focus on a small set of devices that never left the work premises, they now must understand and monitor a large variety of devices that may be compromised at any time. Networks are increasing in size exponentially as companies become more reliant on their technological infrastructure. The need for filtering and analytic tools is essential to automate much of this work load. Managing these massive and complex networks, and at the same time conserving time and attention is a difficult balancing act for information security professionals. In order meet this challenge, information security professionals should focus on the following: high degrees of automation, scalability, centralized management, and real-time analysis. Tools such as Splunk and the Meraki Cloud platform, and programs such as the Continuous Diagnostics and Mitigation (CDM) program will allow information security professionals to maintain situational awareness of massive networks into the future.

Splunk automates a large portion of network monitoring and allows security professionals to react to cyber incidents in real-time. The software is designed to be scalable for monitoring and analysis of big data. The amount of data that goes through a modern network is staggering. To put things in perspective, the world processes on average 2.5 quintillion bytes of data every day.[3] In the last two years alone 90% of all computer data was created demonstrating its exponential growth. This increase in data production across networks has made network monitoring nearly impossible without machine assistance. Wireshark, another network monitoring tool, can be useful for filtering through small network traffic, but it will begin to slow with a packet capture above 100MB.[4]  For networks handling big data, this capability is insufficient. Splunk is particularly useful because it allows network analysts to create alarms, which will go off when suspicious behavior is identified. These alarms are set to automatically notify network professionals of incidents and assist them diagnose the problem. This approach to network monitoring alleviates much of the burden characteristic of manually filtering through data. Splunk also operates 24/7 and handles data in real-time, so problems are identified quickly.[5] This is crucial since cyber-attacks occur daily against businesses and government agencies. For example, the Department of Defense reported that it was subjected to 10 million cyber-attacks in 2012, an average of over 1000 an hour.[6] Also, in 2014 over 317 million new pieces of malware were created.[7] Without such technologies like Splunk, analysists would fall days, if not weeks behind in analyzing their network traffic. Splunk assists in analyzing big data, while relieving the burden from network managers, but other tools are needed to maintain these massive networks.

Cloud computing solves problems associated with complex networks spanning across vast geographical locations. It is scalable to large networks, and utilizes an ‘out of band’ management architecture. This architecture ensures that only prescribed management data flows through the cloud. User data stays in your network without ‘touching’ the internet. Cloud networking also provides centralized management, visibility, and control without the cost of and complexity of traditional management software.[8] The Cisco Meraki Cloud Platform is one such tool which utilizes cloud networking and handles networks with tens of thousands of devices. Cloud networking is especially useful for massive networks because devices just need to connect to the internet in order to download their complete configurations. With the Cisco Meraki Cloud Platform, the connection through the Secure Socket Layer utilizes both symmetric and asymmetric key encryption. Not only is configuring devices easier with cloud networking, but firmware updates, and VPN configurations can also be automated. Managers can utilize online control applications to check the status of their network nodes and run diagnostics from anywhere. Being able to centralize management through the internet gives network managers the ability to automate numerous tasks, and focus their attention on the ‘big security’ picture. Massive networks often have sites located across huge distances, and cloud networking helps alleviate the need for unnecessary and time consuming travel. With cloud networking, large infrastructures can be maintained, but other tools are needed to help staff prioritize cyber threats.

The Continuous Diagnostics and Mitigation (CDM) program is a process developed by the Department of Homeland Security to help government agencies protect and manage their networks by prioritizing focus on the most significant cyber threats first.[9] The massive number of cyber-attacks launched every day has made it increasingly difficult to maintain the confidentiality, integrity, and availability of extensive networks. This program consists of six steps designed to be scalable and adaptable to new and evolving threats: Install/Update Sensors, Automated Search for Flaws, Collect Results from Departments and Agencies, Triage and Analyze Results, Fix Worst First, and Report Progress.[10] Sensors perform automated searches for known cyber flaws and create reports for network managers. These reports are prioritized based on what is most dangerous, which allows network managers to allocate resources effectively. Progress reports are relayed to key leaders providing situational awareness to the entire agency. The CDM program transforms resource-limited organizations, and effectively tackles the worst cyber threats facing their networks. Additionally, it creates a prioritization within minutes, allowing for near real-time responses.[11] The CDM has great potential to help streamline network maintenance, but it is still growing and has challenges. Though the tools used in CDMs continuous monitoring methods are not new, there are concerns regarding budget and staffing required to build the infrastructure to create these reports. Additionally, 56% of the government agencies who have used the CDM program and have reported success, with 44% saying budget and staffing requirements are causing issues.[12] The success of these tools and programs are dependent on how well they are implemented.

 

Conclusion

Splunk, Cloud Networking, and the CDM program all offer promising automation towards massive network maintenance by alleviating much of the manual burden from IT staff, and allowing organizations to focus their efforts on security threats. As networks grow in size and complexity, so too do their vulnerabilities. Additionally, cyber criminals are becoming increasingly sophisticated as they take advantage of powerful open-source online tools. Though these tools and programs are critically important to managing massive networks, it is sometimes difficult for an organization to change its infrastructure to support them. Also, these promising network capabilities are only as effective as organizations allow them to be. Splunk is a powerful tool for monitoring massive networks, but the staff needs to properly take advantage of its features, or it will become an unnecessary burden. Likewise, the Meraki Cloud Platform, which allows network managers to quickly and efficiently manage networks across the globe, puts a heavy responsibility on the individuals running the operation. Organizations that use these tools must never fall victim to complacency and allow automation to diminish network manager skills. These tools and programs will provide the capability to maintain massive networks, but they are not a replacement for the expertise required from professionals in the field.  Moving forward, it is critical that information security professionals be flexible to an ever-changing environment. With the aid of automation tools, coupled with a deep understanding of network fundamentals, massive networks can safely be used to form the backbone of a world being connected.

 

Endnotes

[1] Suzanne Deffree, “ARPANET establishes 1st computer-to-computer link, October 29, 1969,” EDN Network. (29 October, 2015), 1-2.

 

[2] Dean Evans, “What is BYOD and why is it important?”

http://www.techradar.com/us/news/computing/what-is-byod-and-why-is-it-important–1175088 (accessed 13 December, 2016).

 

[3] International Business Machines, “What is Big Data?”

https://www-01.ibm.com/software/data/bigdata/what-is-big-data.html (accessed 13 December, 2015).

 

[4] Anders Broman, “Working with Large Capture Files”, 30 January, 2013.

https://wiki.wireshark.org/Performance (accessed 14 December, 2015).

 

[5] Splunk Enterprise, “The Platform for Operational Intelligence,”

http://www.splunk.com/en_us/products/splunk-enterprise.html (accessed on 13 December, 2015).

 

[6] Jonathan O’Callaghan, “Think you’re safe on the internet? Think Again,” Dailymail.com. (26 June 2014). http://www.dailymail.co.uk/sciencetech/article-2670710/Think-youre-safe-internet-Think-Map-reveals-millions-cyber-attacks-happening-world-real-time.html (accessed 12 December, 2015).

 

[7] Virginia Harrison and Jose Pagliery, “Nearly 1 million new malware threats released every day,” CNN Tech, 14 April, 2015.

http://money.cnn.com/2015/04/14/technology/security/cyber-attack-hacks-security/ (accessed 13 December, 2015).

 

[8] Cisco Systems, Inc. “Cloud Networking Architecture: An Integrated Networking Platform Build for Management,” 2015.

https://meraki.cisco.com/products/architecture/ (accessed 12 December, 2015).

 

[9] John Pescatore, “Continuous Diagnostics and Mitigation: Making it Work,” SANS Institute InfoSec Reading Room, August 2014.

 

[10] Department of Homeland Security, “Continuous Diagnostics and Mitigation (CDM),” 6 November, 2015.

http://www.dhs.gov/cdm (accessed 12 December, 2015).

 

[11] Ibid., 1.

 

[12] Continuous Diagnostics and Mitigation: Making it Work, 2.