Verify the Integrity of Your Network With a Bit of Flexibility
Limnetic Technologies
Delivering trustworthy and resilient network communications.
In a previous publication, we presented how IoT and smart devices introduced vulnerabilities in your corporate network. As most of these devices are unsecured and easily mimicked, they’re an easy target for cyber-criminals looking to access your precious, precious data.
The Bring-your-own-Device trend has been exacerbated by workers returning to the office after the Work-from-Home interlude of 2020-2022, thereby introducing a flurry of new intrusion vectors. But those aren't the only threat.
Network devices themselves, like routers, firewalls and switches, can also be the target of cyberattacks and leveraged as part of a data exfiltration scheme, or to access other parts of the network where juicier information may be stored. A hijacked firewall, for instance, could be remotely accessed to grant unlawful network rights to an external user. A router could similarly be commandeered to collect data as it goes through it, or simply reroute your users to sketchy websites instead of the legitimate ones your users were trying to reach. From there, they can be tricked into sharing their personal information themselves. At the end of the day, your network and security setup is a finely tuned ecosystem, and if someone, either on the inside or the outside manages to take control of any of any device, it can lead to chaotic outcomes.
New vulnerabilities and threats are discovered every day around the world, some of which are quite concerning by their degree of sophistication. Many technology vendors are proactive and warn their install base quickly (e.g. Cisco’s security advisories), but for understaffed IT and security organizations, it can quickly become overwhelming.
The best remedies will always remain user best practices as well as institutionalized cyber hygiene (e.g. keeping software and hardware up to date), but even then, your business is never completely out of reach.
Detecting illegitimate network activity early is therefore extremely important to take swift action and contain the threat.
The good news is that unlawful activity leaves a trace: a router sending data transfers in the middle of the night without any such requests coming from a computer of smartphone downstream may be a sign that it’s been compromised; or, a user trying to access PowerPoint and instead being sent to an unknown server in Borduria should cause immediate alarm. Discrepancies in data flows are a good indication that something’s wrong. The bad news is that such a discrepancy is quite difficult to observe if you’re not specifically looking for it.
An ideal way of answering this challenge and achieve higher monitoring accuracy is to monitor traffic at different points in the network to verify without any shadow of a doubt that the integrity of your network hasn’t been compromised. For example, you could monitor traffic data before and after key network components, such as a firewall, to verify that nothing was added, changed, or removed.
Sounds easy, but there are a few challenges to overcome in order to benefit from such a setup.
First, there’s no obvious way of configuring sensors or monitors in such a way that the network data logs of both are compared against each other, let alone in real time. As a result, while there's nothing preventing you from taking the pulse of your network in two places today, the added value is lost if you can't match flows, and effectively isolate discrepancies.
Second, you need a solid orchestrator to manage those different readings and tie them together in a chain. As mentioned earlier, this is not generally supported by conventional solutions, and sensors or agents feed raw data that must then be interpreted. It's also important to consider that despite (hopefully) being the same data, it must be processed twice before being compared, which represents twice the size in storage.
At the end of the day, verifying the integrity of your network traffic data on such a level can give you peace of mind, but it requires a solution with enough flexibility to avoid falling in the trap of over-engineering and complexity.
Limnetic is designed specifically with that type of modularity in mind and can help network and security practitioners achieve deeper visibility into their corporate traffic, attesting to their networks data integrity.
Limnetic’s highly distributed and modular architecture allows client organizations to deploy sensors in multiple locations without complexity. The technical data collected by these successive sensors can then be compared in real-time by the Limnetic Cloud to verify that no unexpected session was created or removed at any point in the process.
When a suspicious discrepancy occurs, Limnetic flags it and alerts the client immediately. It is precisely this degree of accuracy and verifiability that will give greater legal value to the data collected. Of course, as with suspicious destinations and behaviour (as described in a previous post), with the proper installation, Limnetic can block the traffic in order to contain potential vulnerabilities.
By facilitating the deployment of data sources within the corporate network, Limnetic validates the integrity of data flows both downstream and upstream of hot spots (e.g. the firewall), thus ensuring the accuracy and precision. Again, without the proper tools, it's easy to miss a suspicious session when your network sends and receives hundreds or thousands of flows every minute.
References: