F5 Friday: Building a Proactive Threat Management Infrastructure One Service at a Time

#GDI #infosec #bigdata Personalization is usually the first application mentioned for big data, but security may be of even more value to the enterprise

We (as in the corporate “we”) recently postulated that it was time “time to ratchet up the protection afforded users and the business by leveraging big data in a way that enables attacks to be prevented, not just deflected or avoided.”

Actually, it’s well past time we applied the tremendous amount of information that is available to defending and protecting corporate assets. Security experts and pundits have long posited that a proactive approach to security is called for, that the reactive approach of the past is no longer sufficient to protect the business from compromise, from revenue loss, from infection, and from breaches.

One way we can enable a more proactive security strategy in the enterprise is to start enabling infrastructure with the intelligence necessary to make real-time decisions regarding the threat posture of every single connection. No more sampling, no more guessing, no more after-the-fact alerting from monitoring systems.

This is increasingly important, as 98% of breaches documented by Verizon in its 2012 Data Breach Investigation Report stemmed from external agents – an increase of 6% over the prior year – with malware cited as a contributing to over two-thirds of the 2011 caseload and 95% of all stolen data. Perhaps if organizations involved had been able to identify that the end-point connecting was known to be infected or a known distributor of malware, many of the breaches might have been avoided.


Attempting to do just that is the reason F5 is building out an ecosystem that delivers intelligence to strategic infrastructure services. The goal is to leverage big data and cloud computing to provide key components of the context required to proactively make access decisions with respect to corporate resources. The first subscription-based service in the line-up is IP Intelligence, which provides updates on IP threats. The service draws on the expertise of a global threat-sensor network to detect malicious activity and IP addresses. Even when the BIG-IP device is behind a content delivery network (CDN) or other proxies, the IP Intelligence service can provide protection by looking at the real client IP addresses as logged within the X-Forwarded-For header to allow or block traffic from a CDN with threatening IPs.

The capability to detect the threat before it can launch an attack enhances perimeter security, including mitigating DoS attacks and preventing potential fraudulent transactions. The use of intelligent, behavioral and reputation-based context applied to connections enables protected applications to better scale and perform consistently, as well as increases downstream device throughput and ability to evaluate more efficiently those requests that are allowed past the network boundary.

All BIG-IP systems will be able to take advantage of IP Intelligence via iRules, through a new command that queries the IP Intelligence service. A simple, easy to configure interface is also available in BIG-IP Application Security Manager (ASM) that includes the ability to whitelist IP addresses, because we all know what happens when the CEO is blocked.

The intelligence required to balance legitimate access needs from anywhere to corporate resources goes well beyond a simple reputation lookup, however. It’s not always enough to simply allow or deny access based on reputation, as it may be the case that an employee is ensconced in a meeting room, far from corporate IT, on a network from which an attack has been previously launched. Further evaluation may be necessary; a combination of client, user, reputation, and location may be needed to make a final decision to allow or deny. The whole is greater than the sum of its parts, and sometimes it is the context of the request – all relevant variables – that are necessary in order to intelligently make a decision. BIG-IP enables this level of intelligence, allows operators to dig into all the factors in the equation, and make an intelligent decision based not only on pure data but data balanced with risk and business requirements.

It is the combination of employing intelligent inspection with IP Intelligence that further enables IT to proactively manage access while mitigating risk. It enables IT organizations to effectively deal with emerging threats and trends like BYOD and cloud computing with confidence. IP Intelligence enriches the already robust context-aware capabilities of the BIG-IP system and puts the ability to codify complex multi-variable policies into the hands of IT, where it belongs.

Additional Resources:

Published Jun 29, 2012
Version 1.0

Was this article helpful?

No CommentsBe the first to comment