Relying solely on perimeter-based security is inadequate for maintaining a robust overall security posture across the organization

By Vinay Sharma, Regional Director, India and SAARC, NETSCOUT 

Cyber-attacks and data breaches continue to escalate, making media headlines across all sectors.  Cybercriminals are targeting government agencies, consumer goods, finance, and gaming among others.  What often escapes our notice is the fact that the most significant damage occurs when malicious actors successfully breach the network’s initial defenses.

Several organizations place heavy reliance on perimeter-based firewalls and intrusion prevention techniques, thinking this to be the ultimate defense.  While preventive measures hold undeniable importance, the most significant impact and the highest ROI come from the often-underestimated internal network visibility technologies.  The ability to detect, investigate, and promptly respond to breaches is crucial within the cybersecurity framework as it significantly mitigates the consequences of potential breaches.

The limitations of perimeter-based security

Perimeter-based security revolves around the concept of securing the organization’s network by strengthening its external boundaries. The elements include,

  • Firewalls that filter both incoming and outgoing network traffic are designed to block malicious traffic and allow legitimate traffic to pass through. 
  • Intrusion detection systems (IDS) that monitor the network for suspicious activity and Intrusion prevention systems (IPS) actively block or mitigate potential threats
  • Virtual private networks (VPNs) ensure data transmitted between remote locations and the central network remains encrypted and secure.
  • Antivirus and antimalware solutions are used to detect and prevent malware infections at the perimeter, often scanning incoming files and emails.
  • Network access controls dictate who can access the network and what resources they can access.

Despite being crucial, perimeter-based cybersecurity has several limitations, such as,

  • Reconnaissance: Cybercriminals often gather information about their target organization through social engineering a tactic that can elude perimeter defenses because it involves human manipulation and deception.  Internal traffic monitoring can detect unusual activity.
  • Lateral movement: After entering the network, attackers can move laterally evading perimeter defenses.  Internal traffic monitoring is crucial for detecting such lateral movements.
  • Zero-day attacks: Perimeter defenses are often less effective against zero-day attacks, which exploit vulnerabilities that are unknown to security vendors.
  • Advanced persistent threats (APTs): Determined attackers can bypass perimeter defenses by using sophisticated techniques, making it essential to monitor internal traffic for signs of compromise.
  • Insider threats: Perimeter defenses focus on external threats, leaving organizations vulnerable to insider threats—malicious or careless employees who have legitimate access to the network.
  • MITRE ATT&CK framework mapping: After the Initial access and execution phase, perimeter-based protection is blind to most activity, because attackers operate within the network, exploiting techniques detailed in the MITRE ATT&CK framework. Internal network monitoring is essential for recognizing these tactics, allowing security teams to respond effectively and prevent further advancement through the attack chain.

It is crucial for organizations to address these limitations and create a more robust security posture by prioritizing internal traffic monitoring.

  • Early threat detection: Internal traffic monitoring can identify suspicious activities and anomalies within the network, allowing for early threat detection before significant damage occurs.
  • Lateral-movement detection: Detecting lateral movement within the network is possible only via internal traffic monitoring, allowing for swift containment and response to threats.
  • APT detection: Advanced persistent threats often go undetected by perimeter defenses. Internal traffic monitoring can identify unusual patterns of behavior that might indicate an APT attack.
  • Zero-day attack defense: By monitoring internal traffic, organizations can detect zero-day attacks that bypass perimeter defenses, helping them respond promptly.
  • Insider threat mitigation: Monitoring internal traffic helps identify insider threats, enabling organizations to take proactive measures to prevent data breaches or other security incidents.

Solution with deep packet inspection (DPI) at its core will provide unparalleled security visibility across the network perimeter (where it sees north-south traffic) and also provide visibility into the internal network (east-west traffic).  The internal network includes multi-cloud and hybrid cloud and the solution should detect known and emerging threats with precision.

Leave a Reply

Your email address will not be published. Required fields are marked *