So#ware Dened Networking and Cyber Security: Why Your Audit Commi/ee is Looking over Your Shoulder !

About the author: George de Urioste is Chief Financial Ocer for Pluribus Networks, Inc. In his 30+ years of experience, he has served as Audit CommiHee chairman for 6 companies, public, private and not-for-prot and CFO at three public companies. Hes also currently acNve as an audit commiHee chairman for a technology company. !Now permea*ng Board rooms across America: Audit Commi7ees challenge CIOs and CFOs to stop assuming network security protec*ons are adequate! They ask: Whats our risk of becoming the next Anthem, Target, Sony, eBay, Home Depot (cyber breach)? !!!!!!!!!!!!!!!!!The perplexing transla*on of the above ques*on is: how well do we search for something we dont know, then lock it down? The predictable response: a deer in head-light stare from the CIO and CFO. !At a conference for audit commi7ee chairmen, there was quite a somber panelist: Hes a supervising agent for the FBI for northern California. He challenged us with ques*ons to ask our CIOs. Ill share the story he told (paraphrased for length). First, he explained the FBIs perspec*ve its when, not if your company will be vic*mized by cyber theU. He emphasized that the percentage of companies being hit is far, far higher than what is reported in the media, because we at the FBI get calls all the *me. He explained: most companies are too embarrassed and avoid public disclosure. Why? Part of the reason is that in most circumstances, the cyber thieves have been inside the network undetected for signicant lengths of *me, before the company discovered the breach and damage. !Heres his story/analogy: Assume your data center / network is like a building with 40,000 windows. Wisdom requires your windows have locks and security alarms. So you do and you feel safe; you assume your detec*on mechanisms give you security and visibility. Youre feeling comfortable, but its a false sense of risk assessment, he says. The FBI supervising agent further explained: Technology evolves faster than organizaNons are able to react and adapt. Move aside the porn industry; its now the cyber-criminal industry blazing new trails of surrep**ous innova*on (and what an industry its become, with Anthems breach being an example). In short, your windows leak. !His commentary con*nued: companies invest heavily in preven*ng inltra*on and to a lesser degree detec*on. The ques*on he posed for us Audit Commi7ee chairmen to ask the CIO and CFO: How do you

Page 1

0"

20"

40"

60"

80"

100"

120"

140"

160"

56"76" 80"

104" 110"145"

Millions"of"Records"

9/14" """10/14 """"""1/15 """"""""1/14 """""""""12/13 ""5/14"

prevent exltraNon? The FBI supervising agent elaborated as follows: First, assume you can only minimize, not prevent inltra*on. Secondly, regarding detec*on, you need tools that enable deeper visibility into your network. Exis*ng network security tools are very good. However, the inherent design of data ow in networks enables no shortage of hiding places for cyber thieves. Invest in technology that collaborates with security tools to enhance their potency. Third, when detec*on occurs, too oUen network operators lack an agility of immediate control to prevent exltra*on (that is, prevent the cyber thief from gecng out). In short, invest more in tools for change management. Damage can be greatly minimized by locking down and preven*ng valuable informa*on from gecng out (exltra*on). !As trusted business advisors, CIOs and CFOs and their teams must be aware of the latest technological innova*ons and their impact on organiza*ons. SDN as a programmable and proac*ve security arch*ecture can be a major element of this. The more agile the network, and the more visibiliy it provides into trac anomolies, the more ac*ve vs. passive protec*on it can provide. And although CIOs are s*ll judged on network up*me and issue resolu*on, these are all known elements given proper network design. It is the unknown, as I noted above, that should keep CIOs up at nightthe unknowns that can kill a rms reputa*on. !!!!!!!!!!!!!!!!!!!A#erword: In fact, the CIO and CFO are very adept at gh*ng the good ght with Cyber thieves. And most are eager to takeem on, shutem down. As one of my CIO friends said: You wanna mess with my Network? Ill smoke you out faster than a greased monkey slides down a tree. !Learn how: Good discussion about how a CIO can use SDN to avoid being the next Sony Breach. See next page. !!

Page 2

Preserving Your Companys Reputation (Priceless)

Source: Pluribus Networks, 2015

CIO KPIs:

!The Sony Breach and Protec>ng the So# Interior with SDN Dave Ginsburg, CMO, Pluribus Networks, Inc. !

You could have a moat around a heavily for>ed castle but if the bridge is down. then your for>ca>ons become worthless. PwC, 2014

There has been much wri7en about the Sony breach, as well as a growing number of other less damaging compromises (at least we hope) where the perimeter was thought to be secure but the interior was leU unprotected. For example, incidents reported by medium enterprises (those with revenues from $100 million to $1 billion) grew 64 percent between 2013 and 2014, with cost per incident growing by $53%1. Small enterprises, in fact, reposted less, due to what many say is an underinvestment in tools, with es*mates that 71 percent of a7acks go unreported. Given todays interconnected business ecosystem, this is indeed a dangerous situa*on. SDN-based network security with in-line analy*cs oers a solu*on.

The idea of interior protec*on is not new, and while some vendors do in fact focus on delivering network packet brokers/visibility fabrics, penetra*ons abound since these solu*ons are reac*ve, instead of proac*ve. If the keys to the kingdom are compromised, such as the sys admins passwords, what can the network do for protec*on as opposed to relying on human interven*on? Today, intrusions happen too fast for anyone to respond eec*vely, and terabytes can be siphoned o overnight. Unfortunately, the gap is widening between the speed at which compromises happen and that at which they are discovered. The percent of breaches that have occurred in a ma7er of days has grown from 75 percent to 90 percent over the last nine years, while discovery in the same *me window has remained below 25 percent. With some of the more serious, professional a7acks, discovery may take months. By some es*mates, in 2014, the nega*ve direct impact on the global economy was up to $575 billion, and the poten*al IP loss was up to $2.2T! Thats a T. !!!!!!!!!

!!!!!!!!!!!!Source: Verizon2 !!

Page 3

Once the inltrator is inside the network, what does this look like, and why are exis*ng tools incapable of providing real-*me protec*on? Visibility fabrics consis*ng of taps and collectors are deployed in parallel to the actual data connec*ons, and are not integrated into the network control plane. They are also capable of only sampling a por*on of the data. For example, a 48-port 10G TOR switch may have one 10G port spanned to the visibility fabric. These two issues prevent todays visibility fabrics from being used for real-*me protec*on.

As an example, assume the taps recognize that Host A is sending way too much trac to Host B, external to the network. Maybe Host C is under syn a7ack from outside of the network. Or, more commonly, Host D has some security vulnerability, has been compromised, and is now ac*ng a vector for an a7ack. Taps may track this, but then send the data to a correla*on plauorm that informs the IT manager that something is awry. They dont integrate with the control plane, they have no historical context, and thus the feedback loop is broken.

The manager must then understand just where in the network the a7ack is taking place, and manually recongure the switches and routers. Remember the perimeter is thought to be secure, so interior policies are not too restric*ve. And no single device really has visibility into the applica*on ows themselves. They do what they are designed to do, forwarding packets hop by hop.

CIOs recognize that current approaches dont scale or provide necessary responsiveness. At the recent ONUG in NYC, a7endees of the Overlay working group tagged end-to-end monitoring as their top un-met requirement3.

SDN and network/ow programmability oers a solu*on. Deploying virtual probes in-line with the data trac results in real-*me applica*on visibility. The IT manager can craU a set of rules to take immediate eect based on outlier analysis, and the network feedback loop is now immediate, bypassing the delays of human interven*on4. The process is as follows:

Establish baseline at dierent *mes/dates and dura*ons Invoke ongoing analy*cs to detect devia*ons Invoke na*ve rules or automa*cally pass to hosted intrusion detec*on soUware for further analysis

and ac*on Automa*cally block, copy, or thro7le the suspicious trac

Addi*onally, the informa*on gathered and steps taken are not just points in *me. The ability to look back in *me, a rich forensics capability, is also part of the embedded solu*on. Luckily, there is now an awareness that this new class of tools exists, and their role in protec*on, detec*on, and response is now a CIO impera*ve. !!!Footnotes:

1. Managing cyber risks in an interconnected world - Key ndings from The Global State of Informa*on Security Survey 2015, September, 2014, PWC

2. 2014 Data Breach Inves*ga*ons Report, Verizon, April, 2014, Verizon Enterprise Solu*ons 3. ONUG-Fall-2014-Overlay-WG-UC-Poll-Results.png, October, 2014, ONUG

4. Netvisor: Bare Metal Control Plane, Applica*on Level Analy*cs and Intrusion Detec*on, August, 2014, ACM.

Page 4