Dissolving Perimeter Defense

New internet trends are inexorably dissolving your network perimeter defense.

  1. Peer-to-peer applications are client-based and therefore poke through your firewalls.
  2. Personal end-to-end VPNs allow bypassing of your perimeter by establishing encrypted channels invisible to your network systems.
  3. Mobile devices freely roam different access points downloading content and then running a myriad of applications within you organization.

These are just a few examples of how your perimeter is becoming irrelevant.

If you think of your enterprise network as your home, perimeter defense is a bit like placing good locks on your doors and windows, and then hoping that no thief can get inside. Unfortunately, as we all know, this is hardly enough. It is conventional wisdom: “If thieves want to get in your house, they will”.


It is becoming exceedingly apparent that this is true for your enterprise perimeter as well. No matter how sophisticated your perimeter is, there is always a way in. The increasing rate of data breaches involving large US corporations is good supporting evidence for this. The damages to brand reputation – and the actual costs associated with a data breach – grow exponentially with the size of the enterprise. Any improvement to the old perimeter defense paradigm is financially valuable.

So what is missing from this equation?

Let’s explore some options by comparison to your home’s physical security.

Option 1: “Keep all your valuables in a bank so that even if they break in, they cannot steal anything.”

BankThis approach is very effective, but it undermines your productivity. Keeping your data somewhere else (where it is more secure) works, but the problem is that you cannot really use it now. If you need quick access to your data for your business operations, you are shooting yourself in the foot. Also, the mechanisms to access your remote data are themselves a problem. If you went to your bank everyday to check on your valuables, you would expose yourself to attacks as soon as you come out the bank, so you are back to square one. Likewise, if you have to transmit your data from a more secure location, you then become vulnerable to the transmission mechanism.

Option 2: “Keep a low profile.”

Low Profile This approach helps, but it often goes against your business objectives and revenue potential. If no one knows about your enterprise, you will not be a target but you also will not be attracting customers.



Option 3: “Build even more perimeter defenses.”

CastleBuilding barriers on the outside of your network naturally discourages communications but additional barriers can constantly get in the way of getting your job done. You are limiting access, or making it more difficult to access your network. The other issue is that you are adding more of what was already ineffective. So, does it make sense to invest more on the same thing?

Option 4: “Invest in your internal defenses.”


If you install motion detectors in your house, you can improve your security. Even if someone makes it inside, they will trip the alarms. Sounds too good to be true? Well, it is. The cyber counterparts of motion detectors are prone to false positives (an alert is generated even though there is no nefarious activity). If you have motion detectors in your house and also own a dog/cat, you will know what I am talking about. Fido will almost certainly make your motion detectors useless. Likewise, demanding and inquisitive users in your network will constantly trip your internal monitoring tools.

Fortunately, in cyberspace we deal with digital information rather than analog images. Refining motion detection in cyberspace is easier than in the physical world. Imagine if a motion detector in your house could detect the motion of an individual coming through your living room, and subsequently also detect that the person opened a drawer in your bedroom. That would be interesting, right? A dog would not trip your house alarm, but someone breaking your perimeter and going straight for your possessions would be caught.

Motion detection alone is not very useful. However, if it is paired with some behavioral analysis, it becomes extremely effective. This what MetaFlows does: motion detection (in the cyberspace sense) plus behavioral analysis.

Diagram of behavioral analysis with MetaFlows

Our behavioral analysis requires that the internal alerts indicate more than one symptom, therefore greatly reducing false alarms. We monitor the behavior of every internal asset (even the ones that “walk in”, like smart phones) and wait to see if they exhibit at least two alerts typical of nefarious activity.

Some Simple Examples:

Successful Password Guessing

  1. We detect that host X performs brute-force password guessing on host A .
  2. We detect that host X receives more than 10 kilobytes from host B (another internal host).

Taken separately, neither alert would not be very interesting, but taken together they become very interesting. Likewise, someone trying several keys in your lock would not constitute an interesting event. Someone opening a drawer in your bedroom also would not be an interesting event. However, someone trying several keys and then opening your drawer a minute later is very interesting.

Malware Installation Through Browser Drive-By

  1. An internal host A is detected downloading an unsigned, unknown executable file.
  2. After a few minutes, host A is now communicating to a known malware controller host Y .

Notice again that separately these events are not useful, but together they are. Likewise, if you see a guest at a party carrying a screwdriver you would not think much of it. If a guest stumbles in a bedroom looking for a bathroom you also would not think much of it. However, if you saw a guest handling a screwdriver in one of your bedrooms, you would ask questions, right?


From the examples above, it is evident that behavioral correlation is useful. We have compiled a number of typical behavioral profiles that catch bad internal behavior. Every day, MetaFlows is helping enterprises of all sizes to catch what traditional perimeter systems can’t. To be clear, we do not advocate removing perimeter defense systems (in fact we also provide some of that ourselves), but we believe that it is futile to invest in products that are exclusively focused on securing the perimeter. Instead, we suggest that you try behavioral correlation and see what you can find hidden in your network. Register at nsm.metaflows.com for a free trial!