This is important because, while endpoint security has improved significantly with the introduction of application whitelisting and other technologies, our systems and devices are simply too diverse and too interconnected to ensure that host security can be deployed 100% ubiquitously and 100% effectively. All it takes is a single chink in the endpoint security armor to create a beachhead for attackers, so having a holistic viewpoint of how everything interacts on the network is critical.
Network security isn't a silver bullet either, of course. Even using unidirectional gateways (the network-layer equivalent to application whitelisting, where absolute protection is provided at the physical layer), there's the chance that a hardened network shell can be bypassed, exposing the gooey interior of networked hosts. However, the network is the common denominator, the nexus of all systems, applications and services. By properly monitoring it, the larger threats are detectable and the hosts themselves are ultimately more secure.
Active protection using standard network security devices such as firewalls and intrusion-prevention systems (IPS) is a start. Network activity monitoring using intrusion-detection systems, network flow analysis and more holistic systems such as network behavior analysis tools, log management and Security Information and Event Management (SIEM) systems rounds out point protection devices and provides a broader threat detection capability.
In other words, network-based security is more than just a layer of defense, it's a keystone to obtaining situational awareness, showing security analysts how all of those discrete host security events relate to each other and to the important security and compliance policies of the company.
When utilized properly, network-layer security information can be used in conjunction with application whitelisting on the host to create something even better. The term "Smart Listing," first coined at a SANS Institute security conference in London, introduced the concept of using security events from application whitelisting agents on the host to complete the feedback loop to network security devices, which typically block traffic based on blacklists, or defined signatures that tell the firewall or IPS what we know is "bad."
When a zero day exploit slips past these blacklist defenses and hit a host protected with some sort of application control, the exploit will be blocked and the details will (hopefully) be logged.
But where did that exploit come from? Was it an insider threat, something more advanced originating from another country? How did it get past the network layer security controls? The only way to answer those questions is to look at the network itself, specifically at the network layer security events, as well as network flow information.
When we see something that is clearly of malicious intent attempting to execute applications on a protected host, we can intuit that the application is malicious and adjust our blacklists accordingly. In other words, we create a "smart list" of what we infer to be malicious, based upon intelligence obtained from the host, but assessed within the context of the network layer.
Only with this level of automated intelligence and network-layer awareness can the most sophisticated attacks be detected and then blocked at the perimeter using network layer security controls. Because if the network lets the attack in, it will eventually find its beachhead: that one desktop, server, printer, or some other device that isn't adequately protected.
There's a lot of covert, mutating and otherwise sophisticated malware available, so if an attack does successfully land it's going to gnaw away at systems until a weakness is found. When both network and host security are hardened, the resulting security Gobstopper is going to be difficult for attackers to chew on.
NitroSecurity provides both Intrusion Prevention Systems as well as the only Security Information and Event Management system (SIEM) to include integrated network-based application content and database transaction monitoring.