So#ware

Dened Networking and Cyber Security:

Why Your Audit Commi/ee is Looking over Your Shoulder

About the author:

George de Urioste is Chief Financial Ocer for Pluribus Networks, Inc. In his 30+ years of experience, he has served as Audit
CommiHee chairman for 6 companies, public, private and not-for-prot and CFO at three public companies. Hes also currently acNve
as an audit commiHee chairman for a technology company.

Now permea*ng Board rooms across America: Audit Commi7ees challenge CIOs and CFOs to stop
assuming network security protec*ons are adequate! They ask: Whats our risk of becoming the next
Anthem, Target, Sony, eBay, Home Depot (cyber breach)?
Millions"of"Records"
160"
140"
120"
100"
80"

145"

60"
40"
20"

56"

76"

80"

104"

110"

0"
9/14"

"""10/14 """"""1/15 """"""""1/14 """""""""12/13

""5/14"

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

The perplexing transla*on of the above ques*on is: how well do we search for something we dont know,
then lock it down? The predictable response: a deer in head-light stare from the CIO and CFO.

At a conference for audit commi7ee chairmen, there was quite a somber panelist: Hes a supervising agent
for the FBI for northern California. He challenged us with ques*ons to ask our CIOs. Ill share the story he
told (paraphrased for length). First, he explained the FBIs perspec*ve its when, not if your company
will be vic*mized by cyber theU. He emphasized that the percentage of companies being hit is far, far higher
than what is reported in the media, because we at the FBI get calls all the *me. He explained: most
companies are too embarrassed and avoid public disclosure. Why? Part of the reason is that in most
circumstances, the cyber thieves have been inside the network undetected for signicant lengths of *me,
before the company discovered the breach and damage.

Heres his story/analogy: Assume your data center / network is like a building with 40,000 windows.
Wisdom requires your windows have locks and security alarms. So you do and you feel safe; you assume
your detec*on mechanisms give you security and visibility. Youre feeling comfortable, but its a false sense
of risk assessment, he says. The FBI supervising agent further explained: Technology evolves faster than
organizaNons are able to react and adapt. Move aside the porn industry; its now the cyber-criminal
industry blazing new trails of surrep**ous innova*on (and what an industry its become, with Anthems
breach being an example). In short, your windows leak.

His commentary con*nued: companies invest heavily in preven*ng inltra*on and to a lesser degree
detec*on. The ques*on he posed for us Audit Commi7ee chairmen to ask the CIO and CFO: How do you
Page 1

prevent exltraNon? The FBI supervising agent elaborated as follows: First, assume you can only minimize,
not prevent inltra*on. Secondly, regarding detec*on, you need tools that enable deeper visibility into your
network. Exis*ng network security tools are very good. However, the inherent design of data ow in
networks enables no shortage of hiding places for cyber thieves. Invest in technology that collaborates with
security tools to enhance their potency. Third, when detec*on occurs, too oUen network operators lack an
agility of immediate control to prevent exltra*on (that is, prevent the cyber thief from gecng out). In
short, invest more in tools for change management. Damage can be greatly minimized by locking down
and preven*ng valuable informa*on from gecng out (exltra*on).

As trusted business advisors, CIOs and CFOs and their teams must be aware of the latest technological
innova*ons and their impact on organiza*ons. SDN as a programmable and proac*ve security arch*ecture
can be a major element of this. The more agile the network, and the more visibiliy it provides into trac
anomolies, the more ac*ve vs. passive protec*on it can provide. And although CIOs are s*ll judged on
network up*me and issue resolu*on, these are all known elements given proper network design. It is the
unknown, as I noted above, that should keep CIOs up at nightthe unknowns that can kill a rms
reputa*on.

CIO KPIs:

Preserving Your Companys Reputation (Priceless)

Source: Pluribus Networks, 2015

!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!

A#erword:
In fact, the CIO and CFO are very adept at gh*ng the good ght with Cyber thieves. And most are eager to
takeem on, shutem down. As one of my CIO friends said: You wanna mess with my Network? Ill smoke
you out faster than a greased monkey slides down a tree.

Learn how:
Good discussion about how a CIO can use SDN to avoid being the next Sony Breach. See next page.

!
!

Page 2

!
The Sony Breach and Protec>ng the So# Interior with SDN
Dave Ginsburg, CMO, Pluribus Networks, Inc.

You could have a moat around a heavily for>ed castle but if the bridge is down.
then your for>ca>ons become worthless. PwC, 2014

There has been much wri7en about the Sony breach, as well as a growing number of other less damaging
compromises (at least we hope) where the perimeter was thought to be secure but the interior was leU
unprotected. For example, incidents reported by medium enterprises (those with revenues from $100
million to $1 billion) grew 64 percent between 2013 and 2014, with cost per incident growing by $53%1.
Small enterprises, in fact, reposted less, due to what many say is an underinvestment in tools, with
es*mates that 71 percent of a7acks go unreported. Given todays interconnected business ecosystem, this
is indeed a dangerous situa*on. SDN-based network security with in-line analy*cs oers a solu*on.
The idea of interior protec*on is not new, and while some vendors do in fact focus on delivering network
packet brokers/visibility fabrics, penetra*ons abound since these solu*ons are reac*ve, instead of
proac*ve. If the keys to the kingdom are compromised, such as the sys admins passwords, what can the
network do for protec*on as opposed to relying on human interven*on? Today, intrusions happen too fast
for anyone to respond eec*vely, and terabytes can be siphoned o overnight. Unfortunately, the gap is
widening between the speed at which compromises happen and that at which they are discovered. The
percent of breaches that have occurred in a ma7er of days has grown from 75 percent to 90 percent over
the last nine years, while discovery in the same *me window has remained below 25 percent. With some of
the more serious, professional a7acks, discovery may take months. By some es*mates, in 2014, the
nega*ve direct impact on the global economy was up to $575 billion, and the poten*al IP loss was up to
$2.2T! Thats a T.

!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
!
!

Source: Verizon2

!
!

Page 3

Once the inltrator is inside the network, what does this look like, and why are exis*ng tools incapable of
providing real-*me protec*on? Visibility fabrics consis*ng of taps and collectors are deployed in parallel to
the actual data connec*ons, and are not integrated into the network control plane. They are also capable of
only sampling a por*on of the data. For example, a 48-port 10G TOR switch may have one 10G port
spanned to the visibility fabric. These two issues prevent todays visibility fabrics from being used for real-
*me protec*on.
As an example, assume the taps recognize that Host A is sending way too much trac to Host B, external to
the network. Maybe Host C is under syn a7ack from outside of the network. Or, more commonly, Host D
has some security vulnerability, has been compromised, and is now ac*ng a vector for an a7ack. Taps may
track this, but then send the data to a correla*on plauorm that informs the IT manager that something is
awry. They dont integrate with the control plane, they have no historical context, and thus the feedback
loop is broken.
The manager must then understand just where in the network the a7ack is taking place, and manually
recongure the switches and routers. Remember the perimeter is thought to be secure, so interior policies
are not too restric*ve. And no single device really has visibility into the applica*on ows themselves. They
do what they are designed to do, forwarding packets hop by hop.
CIOs recognize that current approaches dont scale or provide necessary responsiveness. At the recent
ONUG in NYC, a7endees of the Overlay working group tagged end-to-end monitoring as their top un-met
requirement3.
SDN and network/ow programmability oers a solu*on. Deploying virtual probes in-line with the data
trac results in real-*me applica*on visibility. The IT manager can craU a set of rules to take immediate
eect based on outlier analysis, and the network feedback loop is now immediate, bypassing the delays of
human interven*on4. The process is as follows:

Establish baseline at dierent *mes/dates and dura*ons

Invoke ongoing analy*cs to detect devia*ons

Invoke na*ve rules or automa*cally pass to hosted intrusion detec*on soUware for further analysis
and ac*on

Automa*cally block, copy, or thro7le the suspicious trac

Addi*onally, the informa*on gathered and steps taken are not just points in *me. The ability to look back
in *me, a rich forensics capability, is also part of the embedded solu*on. Luckily, there is now an awareness
that this new class of tools exists, and their role in protec*on, detec*on, and response is now a CIO
impera*ve.

!
!
!

Footnotes:
1.
Managing cyber risks in an interconnected world - Key ndings from The Global State of Informa*on Security Survey
2015, September, 2014, PWC
2.
2014 Data Breach Inves*ga*ons Report, Verizon, April, 2014, Verizon Enterprise Solu*ons
3.
ONUG-Fall-2014-Overlay-WG-UC-Poll-Results.png, October, 2014, ONUG
4.

Netvisor: Bare Metal Control Plane, Applica*on Level Analy*cs and Intrusion Detec*on, August, 2014, ACM.

Page 4