The rapid growth of cyber threats in the past 20 years has driven parallel growth in cyber defence solutions that has led to greater specialisation of tools and increased complexity in security environments.

As a result, older concepts such as network and infrastructure security have become buried under layers of specific capability.

But while SASE, XDR, and IAM all have their place, none of them individually solve the problem that the hardware that underpins them is also vulnerable to all manner of attacks.

One of the key challenges is that networks themselves are becoming more complicated, thanks to the fact that the older architectural model of an on-premises worker connecting to an on-premises data centre is becoming less and less common.

The need to secure users who are connecting from more locations to a set of distributed resources has been one of the key drivers of interest in SASE solutions, and specifically in the use of SD-WAN which is supplanting older methods of securing wide area connections such as VPNs.

Some organisations are alleviating themselves of the need for infrastructure security solutions by hosting their services in the cloud, which effectively makes infrastructure security the problem of the cloud service provider.

Neither solution eliminates the challenge of securing the infrastructure at the end points of the network, nor does it alleviate the risks posed by the people using those networks, with Stanford research finding that 88 percent of data breaches are caused by human error.

Network complexity is set to increase further as organisations adopt internet-of-things-based services - a market which Mordor Intelligence reports was worth US$1.17 trillion ($1.77 trillion) in 2024 – placing even greater pressure (and potential vulnerability) on the network.

Each of these devices is another potential entry point for criminals, which in turn is driving growth in tools such as IAM and endpoint security solutions, to ensure that weak access protocols and misconfigurations do not open the door to the outside world.

Finally, the need to lock down network access is becoming especially important for those industries that are incorporating traditional operational technology (OT) into their IT networks, such as utilities companies, and who are seeking the benefits of digitising infrastructure operations while avoiding the cyber security risks.

For those organisations that are choosing to continue operating their own infrastructure, the trend has been towards the adoption of concepts such as zero trust, defence in depth, and least privilege access.

These strategies are designed to not only defend infrastructure from external threats, but also to ensure that should defences be breached, successful attackers will be limited in their ability to inflict damage.

Specifically, there is an increased emphasis on observability within infrastructure to detect anomalous activity that might indicate a successful breach.

Similarly, by adopting the principle of least privilege access, security teams can reduce the freedom of movement of an attacker – something that may prove critical when the breach is the result of a compromised credential.

Both strategies are geared towards a defensive posture that aims to both restrict the amount of damage that an attacker can do, and also to reduce the amount of time that they are free to operate.

And while denial of services attacks has become less visible in recent years, they still remain a persistent threat, especially for operators of critical infrastructure.

So while the challenges are becoming more complicated, the best defence for network infrastructure might continue to come from doing the basics well.

With networks capable of carrying ever-increasing traffic volumes, the ability to analyse traffic flows and distil actionable insights from them remains the biggest challenge in this space.

“It's the volume of data that is the challenge - being able to put that into a place where you can start to do detection on large networks,” AusCERT director David Stockdale said.

“The size [of the links], the complexity [of the networks] and the volumes [of traffic and event data] are all challenges that are going to force us into more tools that automate how we operate.”

AusCERT is based out of The University of Queensland, which is deploying a 400GbE high-speed network between key research computing services and devices.

“At the University of Queensland, we're in the process of standing up multiple 400 Gigabit networks to move large amounts of research data around," said Stockdale.

“The volume of data that you're seeing go through those networks is just unfathomable really, and the network speeds are getting so much faster. So I think it's a very difficult problem to solve or to get on top of.”

Commercial solutions are assisting in the space, and it is also an active topic of research.

“AusCERT along with The University of Queensland and UQ Cyber is actually doing some research in this space around how to do anomaly detection. There's lots of bright minds in research, in the commercial and academic worlds who are working on these problems.”

Rio Tinto is in the process of changing the way it secures the networks that connect its operational technology (OT) assets such as semi- and fully autonomous trucks, trains, drill rigs and ports. “Billions of dollars of technology sit under each of these platforms,” said CISO Scott Brown. In his words, the cyber security team wants “to run more active security controls in these networks.”

“Rio has been focusing on OT security long before I even got there, but our strategy was a very traditional one that was focused on segregation and segmentation of those networks, and passive controls,” Brown told Gartner’s Security & Risk Management Summit.

“When we first started deploying stuff into these networks from a security point of view … we were only allowed to put things on the edge that kind of peered over the fence to see what was going on … but [that’s] limited in what you can see and it’s limited in the fact that it doesn’t allow you to actually do anything.”

The move away from passive visibility started about two years ago, and the organisation has undertaken a 12-month “discovery” process to figure out what form these active controls might take.

“I’m not looking to put EDRs [endpoint detection and response] on HMIs [human-machine interfaces] tomorrow - I’m very practical [in] thinking about how we’re going to approach this,” Brown said.

“We spent a good 12 months talking to anyone and everyone we can globally who has any sort of industrial footprint, not just [in] resources, around what did you do, how did you do it, where are you up to, what challenges did you have, did it work, did you change.

“What has been super fascinating for me is when we talk about the more corporate side of security, I think it’s reasonably well understood what good looks like, and while there’s obviously nuances and bits and pieces to that, in general most people will give you similar answers with similar context, whereas when you get to OT, at least from what I’ve seen in the last little while, there’s still some really strong opinions one way or the other around how this should work.”

Out of the “discovery” phase, Brown says the company has now come up with a working theory that is “based in practice” and that will now go on to be tested.