When compared to traditional Wide Area Networks (WAN), Software Defined Wide Area Network (SD-WAN) solutions offer advanced threat detection capabilities. Integrations such as Artificial Intelligence and Machine Learning have become crucial to SD-WAN’s threat detection capabilities for real-time, proactive detection and protecting against zero-day vulnerabilities. The incorporation of behavioural analysis and comprehensive threat intelligence also improve network knowledgebases for threat behaviour, providing a larger arsenal of tools for detecting potential threats.
- Threat Detection in SD-WAN
Table of Contents
Threat Detection in SD-WAN
With large networks, monitoring network activity becomes non-viable for network administrators to manage manually. The vast influx of data requires additional tools, traditionally being pre-programmed with threat signatures that the tools monitor the network for. Unfortunately, due to the increase in data being transmitted and network scale in recent years, these tools have struggled to keep up. Add to this the fact that, even with updates, these tools have not been able to provide protection from zero-day vulnerabilities and older threat detection methods clearly become insufficient for current practice.
Integration of AI and Machine Learning
Unlike traditional tools, SD-WAN threat detection is not reliant on pre-programmed threat signatures. Leveraging Artificial Intelligence (AI) and Machine Learning (ML), these technologies are pivotal to the enhanced threat detection capabilities offered by SD-WAN. Through large data sets far larger than a human could compile, these enable the identification of patterns in network activity, distinguishing normal network activity from anomalies, which indicates potential threats. By categorising activity rather than only evaluating signatures, AI threat detection offers a proactive approach for securing an SD-WAN network, with the capability to block out zero-day threats before they can even impact the network.
Alleviating administrators from the responsibility to monitor network activity, SD-WAN can notify administrators of threats upon detection, reducing the administrator workload, whilst still keeping them informed about ongoing risks and issues.
Behavioural Analysis
With the ever-present issue of insider threats, businesses can find it difficult to prevent their actions before it’s too late. This is due to insider threats typically being disgruntled employees, who choose to use their access privileges for financial benefit or to cause damage to the company. Additionally, compromised accounts can similarly be used to the same effect, with simple logins enabling cybercriminals to gain access to an entire company network. Unfortunately, as these privileges are required for day-to-day work, revoking these isn’t an option, however understanding what your user base are doing is.
Behavioural analysis is a technique to understand what the underlying user, application or device is doing. By creating a baseline for normal behaviour of users, devices and applications, current activity can be analysed and compared with historical data through machine learning. This baseline is comprised of User and Behaviour Analytics (UEBA), which is a specialised form of behavioural analysis, enabling continuous monitoring to check for patterns against the baseline and find anomalies.
Common outliers for suspicious behaviour can be login times, access frequency, data usage and interactions with network resources not intended for that user. By identifying deviations, SD-WAN can pinpoint potentially malicious activities in real-time, reducing the time to respond to breaches and minimising their impact.
Threat Intelligence Integration
To upgrade on traditional pre-programmed methods of threat intelligence, SD-WAN gathers, processes and analyses data about potential and current threats from a variety of sources, enabling staying ahead of threats.
Threat Intelligence Integration
| wdt_ID | wdt_created_by | wdt_created_at | wdt_last_edited_by | wdt_last_edited_at | Threat Intelligence Feed | Source |
|---|---|---|---|---|---|---|
| 1 | hyelland | 25/10/2024 02:23 PM | hyelland | 25/10/2024 02:23 PM | Global threat intelligence feeds | Aggregated data from multiple organisations and security vendors on latest threats and attack patterns. |
| 2 | hyelland | 25/10/2024 02:23 PM | hyelland | 25/10/2024 02:23 PM | Open-Source Intelligence (OSINT) | Gathers data from publicly available sources such as forums, websites and social media. |
| 3 | hyelland | 25/10/2024 02:23 PM | hyelland | 25/10/2024 02:23 PM | Dark Web Monitoring | Gathers data from dark web forums and marketplaces, where threat actors often discuss and trade stolen data or attack tools. |
| 4 | hyelland | 25/10/2024 02:23 PM | hyelland | 25/10/2024 02:23 PM | Internal Threat Data | Generated within the organisation including logs from security devices, incident reports and historical attack data. |
| Threat Intelligence Feed | Source |
Deep Packet Inspection (DPI)
A limitation of traditional networks is that these typically use packet filtering techniques which only examine the packet headers. This method uses Access Control Lists (ACLs) to allow or block traffic based on IP addresses, ports, and protocols, however, does not monitor the packet payload, enabling some threats to still pass through the network successfully.
SD-WAN addresses this limitation through Deep Packet Inspection (DPI), which analyses the entire packet. This includes the payload, allowing DPI to identify, categorise and take actions on specific types of data if they are deemed to be a potential threat to the network.
To achieve this, packets are captured by the DPI system as they flow through the network at various points (firewalls, routers or dedicated appliances). Each packet is classified based on the protocol and type of data, including IP addresses and port numbers. The payload is then analysed via pattern matching techniques against known malicious content. In some instances, the packet is encrypted to obfuscate the payload, however DPI implements decryption measures to prevent hidden malicious content.
Actions taken are entirely dependent on network policies, which include allowing, blocking, rate limiting (in the event an application is using excessive bandwidth), redirecting (changing destination of packet for further inspection/processing) and logging or alerting administrators to warn them of threats.
Response Mechanisms in SD-WAN
How SD-WAN Responds to Security Incidents and Breaches
Automated Incident Response
The integration of Artificial Intelligence enables SD-WAN to offer automated threat responses. This significantly reduces response times due to eliminating the need for manual work. Without manual intervention from network administrators, this also minimises the risk of human error when responding to threats, provided that adequate playbooks are used.
Automated playbooks are important for providing a pre-defined set of actions, detailing the steps that should be automatically executed for each specific type of incident that is detected.
Typical responses in automated playbooks include:
Automated Incident Response
| wdt_ID | wdt_created_by | wdt_created_at | wdt_last_edited_by | wdt_last_edited_at | Threat | Response |
|---|---|---|---|---|---|---|
| 1 | hyelland | 25/10/2024 02:25 PM | hyelland | 25/10/2024 02:26 PM | Malware | Containment/Sandboxing |
| 2 | hyelland | 25/10/2024 02:25 PM | hyelland | 25/10/2024 02:26 PM | Phishing | Quarantine, Block Sender, Alert Users |
| 5 | hyelland | 25/10/2024 02:25 PM | hyelland | 25/10/2024 02:27 PM | Unauthorised Access | Lock Account, Reset Account Credentials |
| 7 | hyelland | 25/10/2024 02:25 PM | hyelland | 25/10/2024 02:25 PM | Data Exfiltration | Block Suspicious Activities |
| Threat | Response |
Zero Trust Network Access (ZTNA)
It is often difficult to detect if cybercriminals are using compromised accounts, which can cause more work for businesses to prevent access. Attacks such as Cross-Site Request Forgery (CSRF) can steal session data, which are used as a shorthand authorisation process with traditional networks and enable cybercriminals to disguise themselves as an authorised user.
SD-WAN mitigates this issue with the implementation of Zero Trust Network Access (ZTNA), a security principle that defines that networks should “never trust, always verify”. With ZTNA, the network assumes that no device, user, or physical connection should be inherently trusted by the network, even after initial login. ZTNA requires accessors to constantly authenticate to maintain access to the network at every interaction. This minimises the shorthand vulnerabilities from being utilised and through enforcement of strict access controls, minimises the attack surface.
Advanced Endpoint Detection and Response (EDR)
In traditional networks, techniques such as packet filtering and anti-malware often miss advanced or unknown threats due to lacking real-time monitoring capabilities or the ability to view underlying payloads.
SD-WAN introduces advanced Endpoint Detection and Response, which conducts continuous monitoring and analysis of endpoint activities, which includes threat hunting for proactively finding threats. This provides network administrators with centralised monitoring and automated threat mitigation for coordinate responses across the network, surpassing the limitations of traditional antivirus and signature-based detection methods.
Network Segmentation
Network segmentation is the process of isolating network traffic, applications or data into their own subsections of the network. Dynamic segmentation enables adaptive security measures, as SD-WAN enables the segment to be changed on the fly and thus allows quick responses to potential threats. Sensitive sections of the network, when isolated through segmentation, can have granular security policies applied to minimise the effect of potential breaches.
Secure Access Service Edge (SASE) Integration
Secure Access Service Edge (SASE) is a framework that converges several networking features through a cloud solution. Prior to SASE, as there was no longer the secure perimeter with distributed working a “hub-and-spoke” model was used, meaning that network traffic had to be backhauled to the central data hub for inspection and all network policies were applied and enforced using on-premises appliances.
The introduction of remote working, Bring Your Own Device (BYOD) policies and cloud expansion showed the limitations of traditional networks through an expanded attack surface due to the presence of Virtual Private Network (VPN) usage.
SASE rectifies these issues and by leveraging microservices, using global Points of Presence (PoPs) for enabling nearby security checking, allowing the integration of security and policies such as authorising based on identification and not device. SASE also uses a central policy management strategy, which ensures that policies and permissions remain consistent across the system regardless of location. Features such as Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA) and Firewall-as-a-Service (FWaaS), help SD-WAN to achieve continuous threat detection and responses across all network edges.
Future Trends and Innovations
Enhanced AI Capabilities
Current AI integrations have shown significant improvements over traditional WAN networks, with expectations that these integrations will only increase in the future. Expected advancements in AI should significantly improve threat detection accuracy across SD-WAN solutions, with algorithms used to detect threats becoming more sophisticated. The integration of generative AI, which is an AI technique seen in tools such as ChatGPT, is seen as a potential future innovation. Through generative AI, SD-WAN could potentially predict and simulate attack scenarios, enhancing network preparation and response strategies.
Future Trends In SD-WAN Security
Increased Use of Automation
With the volume and complexity of threats continuously rising, network administrators become overwhelmed with workload. This necessitates the use of automated response systems. Future SD-WAN developments expect more integrations for advanced automated playbooks, providing SD-WAN with faster and more effective threat mitigation. This assists with reducing response times and limiting the scope of potential damage.
Expansion of Threat Intelligence Networks
Traditional network security often relies on localised threat intelligence sources and lacked real-time updates, making it difficult to issue quick responses to new threats. SD-WAN solutions will increasingly integrate with global threat intelligence platforms, providing more proactive defences through big datasets. This improvement requires greater collaboration between SD-WAN providers and threat intelligence networks, with continuous updates on emerging threats.
Conclusion
SD-WAN provides a significant improvement on traditional WAN networks, offering advanced threat detection through AI and Machine Learning techniques. By enabling real-time proactive threat detection, SD-WAN outperforms traditional WAN with the ability to also mitigate zero-day vulnerabilities. Behavioural analysis and comprehensive threat intelligence further enhance the ability to identify and respond to potential threats, with deep packet inspection and automated incident response enabling the detection and neutralisation of threats efficiently. The implementation of Zero Trust Network Access ensures only authorised users gain access and continuous verification of user actions prevents malicious activities.
As we look to the future, advancements in AI, increased automation, and the expansion of global threat intelligence networks will continue to enhance SD-WAN capabilities. These innovations will provide even more accurate threat detection, faster response times, and a more comprehensive defence against the growing volume and complexity of threats.
