EMA Blog Community

In my ongoing series of posts on data-driven security, I noted the rise of defense tactics that seem to point the way toward reliance more on continuous, dynamic data sources than on intermittent feeds of data such as signature updates. One advantage of such an approach would be to make defense more responsive to new and emerging threats, or those that can be difficult to mitigate on resource-bound endpoints, such as obfuscated attacks.

It could also have an impact on making security point products more general purpose in their function, if what they do is defined “on demand” by their data sources. This would be good news to many enterprises, if it meant they could reduce their total number of security point products and the need to continuously add more. Data-driven tactics could mean fewer, more flexible products that could do more while maintaining their effectiveness through reliance on dynamic data sources.

If this development does indeed emerge in security products, it will intersect with another trend that is also driving security technology to provide broader and more flexible coverage, particularly in the network.

Up to now, we have seen network security siloed in segments such as firewalls, intrusion detection and prevention systems (IDS/IPS), anomaly detection, Web application firewalls (WAFs), client-side web security and “safe browsing” systems, antispam and message security gateways, VPN, and data loss prevention (DLP) in the network. But there are two overall trends that have already begun to collapse the distinctions between these products:

• The Web has become the lingua franca of IT. In the past, many networked applications and services were accessed through their own specific ports and protocols as well as through their own servers and clients. Today, much more functionality is distributed via Web technologies, thanks to their flexibility and the ubiquity of the “universal client,” the browser.

• This, in turn, has collapsed the number of ports and protocols used for a substantial proportion of network traffic down to (typically) server ports 80 and 443, and http/https.

This means that the application-level granularity of the firewall is at risk of being lost to the unification of networked content via the Web – which heightens the need for network security functionality that is not only more application-aware, but more content-aware as well. This, in turn, heightens the value of network content inspection.

Mobility and distributed applications throw other factors into the mix – with something of a paradox. On the one hand, a new variety of mobile devices and applications from social networking to collaboration increase both the complexity of network security, and the definition of “endpoint.” On the other, these systems, too, focus much of their capability on technologies of the Web. This means that flexibility in network security is becoming equally important.

We have already seen evidence of these trends in the emergence of so-called “next generation” firewalls, which preserve the purpose of the firewall in filtering a wide range of network traffic while addressing these evolving needs. At the same time, we are also seeing systems that focus on content inspection such as IDS/IPS becoming more “firewall-like” in their functionality, as they become more explicit in their ability to distinguish and differentiate application traffic.

I see this evolution leading towards what I think of as Converged Network Security (CNS) systems. (And yes, the acronym collision with “central nervous system” is intentional, since these platforms could indeed become the focus of much network security capability in the future.)

Some will undoubtedly argue that we have begun to see this already in Unified Threat Management (UTM) systems, for example. To me, UTM is only the beginning. CNS systems will need to be highly adept at turning content inspection into distinctions of the nuances of a wide range of applications, particularly from a mass of data that less Web-aware technologies may not differentiate as well. Ideally, CNS would help close gaps across silos of protection, from Web applications to content security to improved control for endpoint-to-endpoint applications such as social networks and distributed collaboration and communication systems. CNS systems would also require better integration of common functionality across domains of protection, such as the identity and access privilege intelligence needed to understand how best to apply policy, regardless of medium.

There will, of course, be tradeoffs with any such strategy. Performance requirements – already an issue in real-time defense – would escalate substantially for converged systems, particularly when inspection of encrypted traffic is added into the mix (something which introduces challenges of its own). Consolidated functionality may also consolidate single-point concerns and make CNS a bigger target. This, however, could be mitigated by high availability or distribution strategies that spread risk without losing functionality. An added benefit of such approaches would be to improve performance through parallelism. This could accelerate the substantial performance gains we are already seeing in high-end network security systems.

The advantages of improved protection from a variety of tools and vendors may be lost, or at least muted, if functionality is obtained from a single vendor or consolidated system. The upside there, however, would be the consolidation of point products and at least the potential of more effective protection from better integrated systems. Should more dynamic, data-driven tactics supplement CNS capability, much of the advantage of “best of breed” could be supplanted by more dynamic intelligence supplied to data-driven CNS. This, in turn, could further mitigate threats as they emerge and help close windows of exposure, if the risk of attracting the attention of the attacker to such tactics can be mitigated as well.

The fact that such systems consolidate functionality should also help make them more responsive to technology trends, if their capability is sufficiently modular to enable the extension of flexibility as new protection requirements emerge. Performance needs could also drive CNS integration with higher-end core networking. We’ve already seen an example of this in the convergence of Web acceleration with the WAF space, of course, which suggests a likely role for CNS functionality at or near the network core, considering the range of protection provided and the performance required for server-side resources.

This could also extend “packaging” trends that combine core network systems with defense and policy control analogous to the “rack-deployed” data warehouse packages I discussed in my fourth post on data-driven security. Virtualization could further extend such trends and make CNS capability more available to service and cloud computing providers – which, in turn, could make more advanced network security available to a wider audience.

How does this view mesh what you you’re seeing – or does it? For those interested, I talked about this evolution in the context of network IPS on a webcast with Jamie Licitra of IBM, who joined me to discuss directions in network intrusion prevention technology. I’d be interested in your feedback and thoughts on this trend.