User Manual

ManualsBrandsSiemens ManualsBuilding automationBuilding automation and control systems - System Catalog 2016

> White Paper | Best Practices in Digital Transformation

Software-Deﬁned Security & The Role of

Analytics

Cyber-security has always been, by deﬁnition, software-based.

It include any type of software that secures and protects any

network or computing device from the range of viruses, malware,

unauthorised access attempts and other security vulnerabilities

listed earlier in this chapter.

While IoT within the data center can collect data through which

problems and threats can be identiﬁed, the defense against

cyber-threats increasingly takes the form of analytics that can

identify statistical abnormalities, trace the cause and put necessary

responses into place. This approach will increasingly be adopted

by MTDCs given the increased security risk represented by multiple

clients and their IT within a common space and, sometimes,

network as well.

The development of software-deﬁned networking (SDN) particularly

and to an increasingly lesser degree network functions virtualisation

(NFV) is the logical progression of software deﬁnition which has

been used for the deﬁnition of networks and other elements

of data center infrastructure through APIs, into security. The

programmability and automation inherent in software deﬁnition

can be used also in security to deliver a more agile and responsive

system as well as oering the key beneﬁt of a centralized control

engine with a high degree of orchestration which allows for incisive

analysis and swift response to threats.

Once the principles of software deﬁnition are applied to security

it allows key steps in the security process to be automated and

monitored such as detection and prevention of threat or intrusion,

network segmentation, monitoring and access controls. The

security control plane is separated through these protocols from the

security processing and forwarding planes.

It also allows the automatic inclusion and control of any new device

under the appropriate security policy and protocols. This includes

applications and workloads within applications created within the IT

environment (usually cloud or virtualised infrastructure) regardless

of where the device is located. The device can also be migrated,

moved within the data center or scaled and the security policy and

controls remain with it. This is of particular value within an MTDC

as it will reduce the time and trouble of re-allocating security

protocols when tenants take or reduce footprint or move in or out.

It obviously reduces the possibility of human error and the time

spent in re-deﬁning protocol.

Software-Deﬁned Security is adaptive in that the security policy and

controls automatically remain with the device if is moved, migrated

or scaled, which speeds up response time and reduces the scope

for human error.

While the fast, intelligent identiﬁcation of and response to threats is

a key attribute, it may not in itself be enough. A number of threats

base their damage potential on sheer volume and the combination

of a range of threats and alerts may be too great for a security

system to deal with. Therefore, intelligence and analysis that

can move beyond the prevention of current attacks towards the

detection of potential attacks before they happen is of considerable

value.

There are a number of dierent types of intelligence approaches

that can be used to achieve this including threat exposure

(vulnerability) management, threat intelligence, enterprise forensics

and incident response. An organisation may need to use multiple

approaches in order to maximise protection. Machine intelligence

and human intelligence both play a role in this process with the

former oering the capability of mining and analysing vast amounts

of data in real-time and human intelligence acting as the start point

for scoping the analytics and the end point in terms of working out

what to do with the ﬁndings.

Increasingly, sophisticated algorithm-based techniques are used

in conjunction with big data analytics, not just to identify security

threats but to diagnose the wider principle of ‘data health’. A data

pattern can be considered as the mathematical expression of

speciﬁc network behavior developed on the basis of prior empirical

learnings. The ability to recognise behaviors in data on this basis has

tremendous implications for detecting pre-deﬁned incidents.

Threat intelligence seeks to detect anomalies, by establishing a

baseline of normal behavior so that abnormalities can be detected

through the use of user behavior and user analytics. It can also

look at the tools, techniques and procedures used by attackers

from the evidence left behind in an attack. From this intelligence,

countermeasures can be implemented to reduce the likelihood and/

or the impact of future attacks.

Network Anomaly Detection is the process of ﬁnding behaviors in

network trac indicated by the analytic which do not conform to

expected patterns. These nonconforming behaviors may indicate

a range of possibilities such as impacts on the end user Quality of

Experience, degradation of equipment or performance, security

and intrusion detection or attack blockers when the anomalies

are detected in the network in the early stages. Security measures

need therefore the ability to proactively detect network anomalies

and detect unknown network behaviors without using any evident

signatures, labeled trac, or learning. It needs to base its detection

methodology on its continual reﬁnement of learnings from the data

it collects. A possible analogy here is the data methodology behind

the autonomous (or ‘driverless’) car. It will not have met before

every single driving situation on every single road that it will travel.

Rather it will work from the broad characteristics of situations and u