Sponsor Blog: Riverbed Federal Offers Rapid and Easy Solutions to Counter Cybersecurity Challenges

This article is written by our sponsor Riverbed Federal. Views expressed do not necessarily reflect views of AFCEA International or SIGNAL Media.

Federal agencies are always looking for ways to spend their security dollars more efficiently. Cyber Attack Defenders recently sat down with Sean Applegate, director of technology strategy at Riverbed Federal, who provided some tips on how agencies can boost their security capabilities while cutting costs by coordinating their investments in network and security monitoring.

Q: What are some of the key cybersecurity challenges facing government agencies?

Applegate: There is serious concern with advanced persistent threats, especially mechanisms that leverage zero-day attacks, which signature-based systems can’t identify. This is one of the largest risks to agencies today. Organizations need to understand what is normal traffic and what’s unusual or suspect for their environments. Identifying unusual traffic that a server or client has never sent before is an indicator that warrants further investigation.

There is significant overlap in technologies used by network teams and security teams. They both continuously monitor dashboards, alarms and alerts for issues. They both leverage NetFlow/IPFIX to generally understand what is going on across the infrastructure. They both use packet and transaction analysis to microscopically understand exactly what is occurring and how or why. If they jointly coordinate their investments, they can build a broader reaching cyber capability at lower costs. A tightly integrated, cost-effective architecture cannot only defend the organization but can be the foundation for proactively improving performance and mission velocity for a network-centric global work force.

However, buying technology is just the first step along the journey. Strategically, leaders have to develop streamlined capabilities across an organization. This not only requires training and process improvement, it also requires overcoming politics and cultural norms within the organization. If successful, organizations create a streamlined collaborative environment where even junior employees can have significant impact on the cyber mission.

Q: What are some of the emerging technologies for securing networks and data?

Applegate: In large organizations, typically 50 percent of the data still resides outside the data center, and much of it is never backed up or archived. Data sprawl is a significant risk to security and continuity of operation plans (COOP). Riverbed’s innovative, award-winning SteelFusion solution is being adopted rapidly by organizations to address this challenge.

SteelFusion allows organizations to consolidate all storage to the data center or cloud and then project it out to edge sites, so they have LAN speed access to it, as well as disconnected operations. SteelFusion provides consolidated edge infrastructure by providing compute, virtualization, WAN optimization, packet capture, flow export and more. This saves on cost, energy, administrative overhead, size, weight and power. Essentially, clients can have their cake and eat it too—around a 25 percent lower cost to traditional site infrastructure. SteelFusion’s block-stream storage is backed up in near real-time, which lowers risk and the recovery point objective (RPO). Should a catastrophic event occur, the storage is recovered immediately from the data center or cloud to anywhere in the world within minutes and with a minimal recovery time objective (RTO). This is extremely useful at sites with data in risky places, such as embassies, forward operating bases, teams with mobile data centers, disaster recovery operations, etc. To secure the edge data, the SteelFusion cache is encrypted with data-at-rest using AES encryption that is FIPS 140-2 Level 1 validated. SteelFusion enables full consolidation of edge storage so organizations can optimize their enterprise COOP for minimal risk, without sacrificing mission velocity due to distance or latency.

Q: Do you have any recommendations for how agencies can strengthen security, especially in a budget-constrained environment?

Applegate: An easy place to start streamlining organizational spend is in the network security and performance monitoring practice areas. Packet analysis and flow analysis are important capabilities for gaining situational awareness—knowing who is doing what and then quickly diving in for a closer look. From a best value standpoint, an organization can often spend security and network dollars more efficiently to obtain a broader capability by coordinating across the network operations center (NOC) and security operations center (SOC) when investing in flow analysis and packet or traffic analysis solutions. Often, by using a well-rounded networks performance management (NPM) solution, organizations get more capabilities than a solution focused on a single practice area like security. For example, with packet capture/analysis, most security vendors are focused solely on capturing on high-speed appliances. Riverbed’s industry-leading packet capture/analysis solutions can capture on high-speed appliances, as well as with capture agents in the cloud or on distributed hosts, as well as virtual machines so you can roll your own custom platforms. This provides capture and analysis anywhere, at anytime, at enterprise scale.

Q: How can Riverbed help federal agencies with some of these challenges?

Applegate: Riverbed’s SteelCentral performance monitoring suite is a leader in Gartner’s Magic Quadrant for Application Performance Monitoring and Gartner’s Magic Quadrant for Network Performance Monitoring and Diagnostics reports. The Riverbed SteelCentral solution includes packet capture, flow analysis and application performance analysis at enterprise scale. For security teams, this provides tightly integrated workflows from desktop to network to application backend. This provides unique capabilities to easily connect the dots for security events that cross various infrastructure layers, such as tracking a SQL injection from host, to network, to application layer to database backend. A few of the SteelCentral components include:

Packet Capture and Analysis—It provides low-level packet capture and rich analysis of what is going on in a real-time environment. It is very efficient and fast at determining what is going on and where, triggering alarms and then pulling out the information for other tools to analyze. The solutions include NetShark, AppResponse, Capture Agents, Packet Trace Warehouse, Packet Analyzer and Transaction Analyzer. These tools leverage Berkley Packet Format for capture filters and WireShark Display filters so security teams can easily leverage the open-source syntax they use with WireShark and tcpdump today.

Flow Analysis—NetProfiler lets you aggregate various flow formats—both standardized netflow/IPFIX as well as proprietary high-fidelity flow such as Palo Alto flow and Riverbed’s performance-centric flow formats—into a centralized architecture across the enterprise. It is a lightweight mechanism to see what is going on across your enterprise network. It gives you unique application layer metrics and application signatures to get a much richer view of what is exactly on your network, beyond just port numbers. Plus NetProfiler leverages network based anomaly detection (NBAD) and other analytics to proactively learn what is normal for applications, sites and hosts. NBAD allows NetProfiler to trigger alerts on security and performance events without users having to set manual event triggers. 

NetProfiler’s NetGateway allows organizations to centrally collect flow once and then redistribute it to many flow analysis engines. This unique flow redistribution capability enables organizations to efficiently integrate many practice areas or quick response teams with different flow tools without having to make changes to hundreds of network devices.

Application Analysis—AppInternals provides the ability to wrap Java and .NET applications with agents that collect transaction details in a big data system called Transaction Trace Warehouse (TTW). AppInternals provides extremely beneficial analysis, not just for performance but for quickly analyzing how application attacks, such as SQL injections or code injections, compromise an application backend, what exactly took place and within which code modules. TTW’s extreme scale and history provide security teams unique capabilities to go back years in time to look for security events in application transactions. Since most attacks are found weeks or months after they’ve penetrated a system, this can be very useful in understanding what took place prior to being aware of the compromise. Application and security teams can proactively protect themselves by adding alerts for key security events.

From an ease-of-use standpoint, it is a tightly integrated solution that lets organizations go from a high-level dashboards or alerts directly into the packets or transactions quickly. This makes it easy for a lower-cost employee to provide value to an organization, whether it is a security incident or a network performance problem. Riverbed SteelCentral delivers a much faster mean time to repair, so cyber operations run smoother.

Q: Anything else to add?

Applegate: If readers are interested in defending against Web attacks and bots, they should check out the SteelApp Web App Firewall (WAF). It is used by some of the largest clouds on the planet today. As is always important in government accounts, the security handlers are completely customizable via Python scripting. This empowers agencies to get extremely creative with Web security. Our most recent DOD WAF white paper can be found posted in SIGNAL Media’s Resource Library.

I appreciate the opportunity to speak with Cyber Attack Defenders and look forward to collaborating with your readers in the future. They can interact with me on Twitter at @SeanApplegate or @Riverbed_FED.