Virtualization Technology News and Information
Vectra Networks 2016 Predictions: Cybersecurity in Virtual Networks

Virtualization and Cloud executives share their predictions for 2016.  Read them in this 8th Annual series exclusive.

Contributed by Mike Banic, VP of Marketing, Vectra Networks


With all of the cyber threats and security trends evident this year, I have the following predictions for 2016.

High-loss data center breaches will have gone undetected for over 200 days.

The insides of data centers are very difficult to secure. Virtual environments, VLANs and VNI's that stretch across racks, the rise of VM migration, complex connectivity patterns, orchestrated provisioning, higher VM density per hypervisor, and climbing bandwidths make it technically very complex to insert access controls and/or detection mechanisms in data center bowels. As a result, most IT operations don't do any of these things; instead they do their best to build a strong perimeter defense for the data center that often becomes riddled with holes that are excused as "exceptions" for speed of business delivery. Unfortunately, these "exceptions" are not tracked, audited, or cleaned up appropriately. A few large network segments exist for access control, and ops teams have zero visibility to what happens inside those segments, as dev teams spin up and down workloads at a rapid pace. Attackers who gain control of one system inside a data center segment enjoy undetected movement among the other workloads inside that segment, especially inside the same hypervisor, then ride permitted protocol paths to other segments. Once pinpointed, high-loss data center breaches will be found to have harbored undetected in some cases for more than 200 days. As such, these disclosures will drive a renewed demand for visibility, detection and controls inside data center segments in 2016. 

Rise of the public cloud compute instances as a threat vector.

Companies that aren't already all-in on a public cloud tend to employ one of two models:  web front-ends in the public cloud with VPN links to app processing and data stores in the private data center, or the opposite, web front-ends and app processing in the private data center with VPN links to data stores in the public cloud. Either way, compromising the public cloud workloads provides access to the juicy data attackers crave. Since public cloud security is limited to ACLs, and visibility exists only at the edge gateway, workloads there are fertile ground for a targeted attack campaign. Security vendors will counter with agent software that brings visibility and control to the workload level.

The shortage of security researchers and incident-response personnel will get worse.

The dire need for security researchers and incident response personnel is growing faster than the available talent pool. This will prompt organizations to rely on the automation of manual, time-consuming security tasks. It's the only practical short-term way to free-up the thinning ranks of security teams to focus on critical and strategic security work.

Organizations will realize that algorithms - not Big Data - are the key to detecting and mitigating active cyber attacks.

To combat cyber attacks that evade perimeter security, enterprises are collecting petabytes of flow and log data in hopes of detecting attacks. These systems turn into unwieldy analysis projects that typically detect an attack only after the damage is done, wasting valuable time and money. Threat detection algorithms will play a significant role in making Big Data more useful and actionable.

SSL decryption will become increasingly difficult.

Attackers increasingly target and compromise certificate authorities as part of sophisticated man-in-the-middle attacks. This leads more applications to enforce strict certificate pinning, and consequently make the inspection of SSL encrypted traffic far more difficult for traditional security products. 


About the Author

Mike Banic, Vice President, Marketing

Mike Banic is the vice president of marketing at Vectra. Previously, he was vice president of global marketing for networking at Hewlett-Packard. Mike joined HP from Juniper Networks where he held the roles of VP of enterprise marketing and VP of marketing for Ethernet switching. Mike joined Juniper through the acquisition of Peribit Networks where he was VP of corporate marketing. Mike has held product marketing and product management roles at Trapeze Networks, Rhapsody Networks and Extreme Networks. He started his career as a system engineer at Artel Communications.

Mike is originally from Connecticut. He professes amnesia regarding the futility of the New England Patriots and Boston Red Sox during his youth and now takes great pride in the championships of the Red Sox, Patriots, Celtics and Bruins. Mike's passions include architecture, impressionist art, music, history, and travel. His kids are famous for saying "please, no audio tour of the museum."

Mike holds a BSEE from Worcester Polytechnic Institute in Massachusetts and currently serves on the Board of Directors for Ronald McDonald House at Stanford.


Published Friday, December 18, 2015 10:01 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<December 2015>