Great Wall of China

Before There Was a Great Wall

According to a December 2012 report from Gartner, an estimated 85% of security incidents go completely undetected in enterprise networks. That percentage may seem staggering, but a secondary statistic explains why. Among the detected incidents, 92% were not detected by the exploited organizations. They were brought to light by third parties such as reporters or by the extortion demands of the attackers.

Additionally, in performing a reverse analysis of zero-day attacks, Symantec Research determined that the average amount of time it took to identify the exploit after it had been successfully deployed was 312 days, with the longest taking 30 months. All of this together reveals a problem I see all too often in the field: organizations are not watching their networks intelligently.

History of Network Surveillance

The evolution of network security has taken a non-conventional, meandering path to where we currently are now. Between 2000 and 2005, we had a love affair with Intrusion Detection Systems (IDS). These systems were created to shed light on bad behavior on the network. The core business problem with IDS was that it required a skilled set of operators that could interpret and respond to suspicious behavior. The pool of existing talent was much smaller than required, curriculum was under developed and most importantly, businesses decided not to spend the money to create their own talent.

Heavyweight Hackers Against Featherweight Responders

IDS solutions were able to stay on the market only because they eventually morphed into Intrusion Prevention Systems (IPS) that could automatically mitigate threats. With the system automatically blocking threats, there seemed to be no business reason to train and staff an expensive network security team. Existing security teams were relegated to managing the firewalls, IPS and security tools instead of putting a sharp eye to surveillance and response. In the meantime, attackers have become well-funded, sophisticated and smart. It is now elite hackers against glorified firewall administrators. According to Gartner’s statistic, the odds of the hackers winning each bout without detection is a little better than 4 to 1.

Balanced Security

As a result of these business decisions, the lion’s share of security budget and efforts has gone toward enforcement mechanisms designed to prohibit or mitigate bad behavior. Surveillance has been reduced to statistical reports of enforcement actions performed by the security infrastructure.

Learning from Physical Security

Over the course of human history we have repeatedly learned the importance of the balance between surveillance, enforcement and response. Before there was a Great Wall in China, there were villagers that would run and report on invading forces from the north. If I was to knock over a liquor store, I wouldn’t be stopped by bulletproof glass, lasers or drop floors, I would be caught on surveillance cameras. Before a soldier learns how to fire his rifle, he first learns how to stand sentry duty. Surveillance is the foundational element of security, both physical and on the network.

What Do You Mean I Was Robbed?

In light of the Gartner statistics on exploit detection, the sad state of affairs is that we are unable to detect when we are being pillaged. The ancient, threatened villagers in northern China at least had enough situational awareness to know they were being attacked.


Here are some very basic questions that every organization should be routinely answering:

  • How much peer-to-peer (P2P) or Onion Routing traffic is live on my network?
  • Which hosts on my network are connected to known botnet servers?
  • Which users on my network are attempting to access information they shouldn’t?
  • How much information is leaving our network and going to competitors’ networks?

If you can’t answer these questions, you have a serious (but all too common) surveillance issue. To simplify the test we could ask a more salient question:  How would I know if a targeted attack succeeded in breaching my network?

Validating Enforcement

Once the Great Wall of China was built it wasn’t left to fend for itself. Sentries were sent to man it. Surveillance is critical in determining if the enforcement mechanisms are working. As I make the rounds with our customers I regularly see traffic occurring that the enforcement mechanisms are designed to prevent. This is sometimes a result of poor configuration, yet other times it is a result of advanced circumvention techniques. It is very easy to breach any wall if no one is watching and you have all the time in the world. By not deploying intelligent surveillance, it makes it very easy for a targeted attack to succeed.

Informed Response

Work for incident investigators is much more profitable when evidence is plentiful and cataloged. A criminal robbing a store with surveillance cameras and eye witnesses is going to be brought to justice much easier than his peer robbing an abandoned warehouse. When networks are not performing intelligent surveillance, not only will they not detect it until a third party tips them off, they also won’t be able to determine the impact of the breach or the methods the attacker used to break in. This leaves the organization no wiser from the breach and just as vulnerable. It also leaves the criminal at large and emboldened for another attack.

Watching for the “Weird”

The primary technical issue conventional IDS had was that it was looking for known bad traffic. Most did this by pattern matching. In the U.S. Marine Corp, sentries have standing orders to “Walk [their] post in a military manner, keeping always on the alert and observing everything that takes place within sight or hearing” and “To call the Corporal of the Guard in any case not covered by instructions” (11 General Orders of a Sentry). In addition to the orders to report actions of “known bad” behavior, sentries are also required to keep a vigilant eye open for things that are out of place and to report them for investigation. In network surveillance it is important to be able to detect anomalous and suspicious behavior that is “not covered by instructions.”

Intelligent network surveillance must detect both anomalous and suspicious behavior to be effective. In an earlier blog entry on detection methods, I cover this topic in detail. There will never be a signature for new threats. Someone has to be on the lookout for the “weird.”

Wrap Up

Without effective network surveillance, hackers will continue to pillage protected resources with impunity. While enforcement mechanisms are critical to a healthy network, they cannot replace the need for a vigilant, skilled set of eyes watching for emerging and targeted threats. It is a sad state of affairs when organizations can’t even answer the most fundamental question of “How will I know when my infrastructure has been breached?” Trained personnel equipped with advanced network intelligence solutions like Lancope’s StealthWatch are the only defense against a growing world of sophisticated attackers.