Financial Institutions Network Security Is Being Blinded

Written by: Francesco Trama | Published on: November 4th, 2016

About The Author

Francesco Trama
As Chief Executive Officer and Founder, Francesco is responsible for the overall operating performance, leading the strategic direction of the company’s products and solutions internally while building technical and business credibility externally as a market-facing thought leader.

Today, Financial institutions (not limited to) are being overrun with security logging and alerting. Each new monitoring and alerting device adds more things to consider when evaluating threats on a daily basis. You would think this would help, and is a good thing? It is and isn’t at the same time. We bury our faces in reports, sift log after log for the magic bullet, set up countless alerts on top of alerts, to chase countless rabbits (false positive) down holes. This in itself burdens budgets, jades security teams, and masks legitimate threats that can ultimately lead to a breach.

How many stacks of reports, graphs, and pie charts do you look at today? How many lines of logs do you look at? Do you stop when your eyes are bleeding? I personally I’ve chased enough rabbits down holes (false positives) to where I almost grew a tail

To understand the enormity of the problem let’s rewind the clock a couple of year and see what it was in 2014: Damballa’s Report

The average North American enterprise fields around 10,000 alerts each day from its security systems, far more than their IT teams can possibly process, a Damballa analysis of Q1 2014 traffic has found.

You have to ask why? Why are we seeing this many alerts on a daily basis? The simple answer is we are not considering what we are allowing to and through the perimeter. We basically open up exposures into our firewalls and DMZ’s, then top it off with an army of monitoring devices to watch and understand the traffic.

Hold on! Before you write me a nasty comment… Here is what I’m saying. Today we are allowing everything to the gateway forcing the security devices to inspect everything. This is how they are built and designed.

For instance: your firewall rule may look like this

permit any to 1.1.1.1 tcp/udp x,

permit any to any tcp/udp port x, y, z

What you told your firewall is to allow everyone on the planet access to those IPs and Services. What if that was a VPN, HR, WebMail, FTP, VM, PAYMENT PROCESSING, SSH, RDP, or TELNET Portal?

Have you ever asked why are we doing it this way or why are we inspecting everything?” Imagine if your security environment only had to inspect 30% of what you are seeing today. That would alleviate logging, alerting, shrink rules sets, provide faster threat detection, and unburden human resources. Right? Right!

You’re probably wondering it can’t be that simple? It is though. Lessen the traffic burden lessens the traffic load. Today in many situations the solution may look like:

We need more bandwidth
We need a bigger firewall
We need to consolidate logs and alerting
We need more staff
All of this may be true, and if budgets permit. Got for it! But think about it. If we we can remove the bulk of the garbage traffic (let’s say 70%), without it interfering with production traffic and all the above is mute.

There is a light at the end of the tunnel, enter the Geo-IP Layer a seemingly simple layer but when done properly will remove the burden through the security environment by eliminating the waste before it enters. But don’t think for one minute your current security devices can do this properly. That’s a myth. The problem has always been that current security tools only provide a subset of what is needed to properly Geo-IP, that leaves a bad taste in the security teams mouth. Separating the Geo-IP layer from the application layer is vital to have this layer work to your benefit. Anything else, you are back to where you started.

The Geo-IP layer sole purpose is to effectively eliminate traffic before it is inspected. The end result is what you see in the image below.  A much cleaner more effcient security environment.{{cta(‘276ea17d-e7d1-4851-acb5-5a94e45af9a6′,’justifycenter’)}}

{{cta(‘5d6185b1-7d0d-42f6-b772-1b220758c3be’,’justifyright’)}}