The search for a solution

Businesses that use VPNs typically evaluate several security solutions, ranging from firewalls to unified threat management (UTM) to virtual, machine-based solutions, before settling on one. However, none of them are effective when it comes to preventing targeted APTs from infecting hosts inside the network and operating without detection; because of the solutions’ architecture and background, they’re unable to operate properly at the network’s core, so they’re most effective at the perimeter.

Companies also frequently have ambitious sets of requirements that a VPN security solution must satisfy based on their own corporate security policies. Those requirements may include:

• identifying if any VPN user has broken out of his or her authorized security domain;
• indicating when any host in the company might be under the control of a bad actor;
• alerting for potential violations before critical information is lost or compromised;
• providing toolsets to allow investigation into suspicious activity over a long period of time.

Companies also generally seek out a solution that’s scalable and easy to install, requires minimal overall expenditure and training time, doesn’t require network re-architecture, has the ability to maintain control over sensitive data already in the system, and can grow as additional hosts are added.

To address all of these requirements, corporate VPN users need a sensor-based, near-real-time forensics solution that identifies and tracks malware threats, the kind that go undetected by perimeter solutions, before devastating damage or critical data theft can occur, thus protecting the customer from emerging cyberattacks in the network’s interior.

A cost-effective solution such as this one will:

• increase a company’s confidence that the ongoing use of its VPN by outside partners won’t compromise network security;
• provide the customer with tools that can quickly identify and eliminate several instances of advanced malware that already exist within the network;
• enable a company to trace certain breaches back to the responsible parties;
• provide forensic-level details validating that a breach occurred and identifying the hosts that are infected;
• detect new and emerging malware behavior in near real time;
• deliver visibility into an infected host over the lifetime of an event, whether it spans months or years;
• supply advanced analysis of malicious activity throughout an APT’s life cycle, not just the infection or exfiltration event (perimeter-based products only analyze this type of event), and not rely on periodic signature updates to identify such activity.

Applying the fix

A sensor-based, near-real-time forensics technology is typically installed in the core, where it’s connected to an in-line, passive tap off of the main core switch, meaning a network redesign isn’t necessary for installation. The switch handles all traffic as expected, and the tap feeds copies of that traffic, including the kind coming from remote sites, to the security solution’s probe for analysis and processing.