NETSCOUT Interview: Adam Bixler 

Enterprises Face a Constantly Evolving Threat landscape

When it comes to cyber threats, enterprises have accepted the fact that they are under constant attack—and it’s only going to get worse. Bad actors are getting smarter and meaner, and the tools they use are becoming more effective. Attackers have found it easier and cheaper to launch large-scale cyber security attacks, driving a dramatic increase in attack size and scale.

According to the Identity threat Resource Center, the number of U.S. data breaches tracked in 2017 hit a record high of more than 1500 incidents, a 44.7 percent increase over the record high figures reported for 2016. Even worse, we’ve already surpassed the number of records compromised in 2017 in the first six months of this year.

With the average cost of an attack at $2.4 million, your business is at risk. And increasingly, security point solutions are not enough, as today’s bad actors can often control and harness your own devices without anybody in IT knowing.

Strategies for Managing the Cyber Threat Landscape

Senior writer Carol Hildebrand sat down with Adam Bixler, director of product management, to get a sense of the challenges companies face managing today’s threat landscape. 

Hildebrand: We hear a lot about bad actors infiltrating enterprise networks via a variety of techniques. What does that say about perimeter security?

Bixler: A traditional enterprise network strategy focusing on applying signature against server and host logs is increasingly insufficient for the way we work today. Companies need to take advantage of threat intelligence to block known bad communications, reducing the number of alerts that over-worked security teams have to deal with.

Hildebrand: That sound like a huge and unwieldy undertaking.

Bixler: Exactly. Enterprises have been investing for years in many detection-focused products, many of which have relevance in terms of visibility inside the enterprise. But those disparate deployment are exacting a cost I think of as alert fatigue. Companies now have to roll up those solutions into a Security information and event management (SIEM) system to aggregate relevant data from multiple sources and look for and identify anomalies. You end up needing a vast army of people to work in the security operations center just to monitor the alerts, which brings us to the talent shortage.

Hildebrand: Does that scenario cover threat intelligence as well? 

Bixler: No, that’s a whole other complex stream of information. The past decade has brought dynamic sharing of threat intelligence across a variety of spaces. We certainly see commercial entities as well as governments sharing information, along with public-private partnerships, sharing by geographic area, and by industry/sectors. These Information Sharing and Analysis Organizations (ISAOs) help companies find and disseminate threat intelligence specific to their needs, using STIX, TAXII, and CyBOX as standards. Integrating multiple threat intelligence stream remains a challenge.

Hildebrand: It sounds like companies need a way to integrate how it defends against both inbound and outbound attacks.

Bixler: Yes, and that’s where NETSCOUT Arbor Edge Defense (AED) fills an important need. Using stateless packet processing technology and armed with highly curated global threat intelligence, AED acts as a network perimeter enforcement point where it detects and blocks inbound cyber threats and outbound malicious communication in bulk. AED's unique position on the edge of the network (between internet router and firewall) allows it to be the first and last line of perimeter defense. Inbound, AED can automatically detect and block DDoS attacks and other commodity cyber threats to maintain network/service availability and take pressure off downstream security devices like next-generation firewalls. Outbound, AED can automatically detect and block malicious communication to known bad locations, thus alerting security teams of compromised internal hosts (that other security products may have missed) and helping them stop a data breach. 

Hildebrand: Does that make AED a Threat Intelligence Gateway (TIG?)

Bixler: No, AED is in a class by itself. It obviates the need for a TIG and also provides a lot more. DDoS protection remains a key part of network availability, ensuring critical business processes execute on time. Another feature that makes AED stand out is the contextual threat intelligence it can bring to network defenders. When an indicator of compromise (IoC) is blocked, AED leverages the global threat intelligence of NETSCOUT ATLAS to provide more context related to the IoC. This helps security teams determine risk to drive prioritization and help accurately hone in on the threat.

Hildebrand: How about the issues you mentioned around making the security stack more efficient?

Bixler: AED has what I call a bias to action. Thanks to many years of defending against DDoS, we’ve built a trusted relationship with our customers to be active participants in the security stack. So, when it detects that something is bad, AED does more than just send an alert and ask humans to do something about it. We are preventive, providing a way to operationalize threat intelligence as a means of enforcement. 

AED helps reduce alert fatigue by acting and shortening time to containment. Security teams therefore spend less time determining alert priorities and organizational risk, and more time on proactive security measures.

On top of that, AED has the ability to ingest large number of threat indicators. AED’s robust REST API and compliance with feed standards such as STIX and TAXII means that security teams can easily integrate AED into existing security stack and processes. AED unites threat intelligence, improves efficiency, and reduces fragmentation. It’s a really useful complement to threat intelligence platforms.

Want to learn more?  Adam Bixler delves deeper into today’s threat landscape in this video.