Achieving comprehensive visibility across the entire network and deep within network traffic is critical to ensuring effective cybersecurity. Yet achieving visibility to that extent has become increasingly difficult as the modern network has expanded to include not only on-premises data centers, but also hybrid cloud platforms, multiple network endpoints in multiple locations, and countless mobile and Internet of Things (IoT) devices.
This article offers tips and best practices for how to best establish a strong cybersecurity posture by ensuring comprehensive and consistent visibility into all network traffic, providing SecOps teams with the data they need to proactively detect, investigate, and mitigate cyber threats.
Cybersecurity and visibility are closely intertwined. The adage “You can’t protect yourself from what you can’t see” has never been more applicable. It is difficult, if not impossible, to ensure strong cybersecurity without achieving the proper level of visibility into all IT operations and network traffic. Yet achieving visibility to that extent has become increasingly difficult as the modern network has expanded to include not only on-premises data centers but also hybrid cloud platforms, multiple network endpoints in multiple locations, and countless mobile and Internet of Things (IoT) devices.
Gaining visibility into all network traffic and having the ability to analyze it in real-time or historically from a cyberthreat perspective is a critical foundation of cybersecurity. This eBook brings you several different angles on how to best establish a strong cybersecurity posture by ensuring comprehensive and consistent visibility into all network traffic, providing SecOps teams with the data they need to proactively detect, investigate, and mitigate cyber threats.
Overview: Ensure Security Through Visibility
Establishing and maintaining an effective cybersecurity protocol starts with achieving pervasive network visibility. Without that breadth and depth of visibility, an organization is vulnerable, essentially blind to any looming cyber threats hiding in visibility gaps. However, gaining pervasive visibility into an ever-expanding and evolving network environment is becoming increasingly difficult. This is especially true in hybrid-cloud and multicloud environments and when on-premises data centers and myriad network endpoints are also part of the architectural mix.
The character of the modern network has changed and now presents a far greater challenge to achieving comprehensive visibility. “Back in the old days, it was pretty simple. You had a hub-and-spoke network, and you had logical choke points where you could put instrumentation to gain visibility,” says Thomas Bienkowski, director of product marketing for NETSCOUT. “Now it’s more like ‘Where is the edge? Where is the core?’ Software-defined networking has also made it more challenging. Then you add in private, public, and hybrid clouds and distributed data centers. It’s really hard to get that level of visibility.” Bienkowski says that that is indeed the fundamental challenge as the modern network has grown so complex, with its myriad components: to comprehensively detect and respond to what is happening on the network. Nevertheless, achieving full visibility into all the network traffic coming into and out of data centers, multiple private and public clouds, and every point on the network is critical.
It’s essential to get a handle on the security implications of that network traffic and sufficiently protect applications, services, and ultimately the business from cyberthreats. Without this level of visibility, security, and operations teams can’t effectively monitor activity and proactively detect, investigate, and mitigate threats.
The first step is knowing what you need to protect and where it is located. “You have to determine where your most important assets are located—what are the most critical apps, or perhaps you need to protect a server where intellectual property is stored,” he says. “You need to go through a risk assessment and determine the highest priorities, where you need to have the highest level of visibility.”
The new types of network endpoints present not only a monitoring and management challenge but also new attack vectors. “There used to be one way in and one way out,” says Bienkowski. “Now there are all kinds of ways to get into a network itself. There are lots of new devices with BYOD [bring your device] and the IoT. It’s opening a whole new threat landscape, so you have to ensure you have all avenues and devices covered.”
And achieving that visibility is just the first step. Once an organization has fully instrumented its network and has all this traffic data coming in, it is also critical to pulling all that information into a single view so network operations and security operations teams can examine it holistically. “You need to piece together the end-to-end communication,” he says, “from the lowest layer of the network to the highest layer of the applications.”
Architectural Awareness of Visibility Without Borders
Security and IT operations teams must work together and share solutions to do the best possible job of supporting an organization’s security efforts. The teams work best when they rely on a common set of wire-based metadata and packets derived from a comprehensive monitoring platform. This common set of data gives the teams what they need to know to continue to provide business services and ensure security. This type of shared architecture also promotes increased collaboration between security and operations teams, thus ensuring a stronger security posture. It also leads to greater cost savings and operational efficiencies.
NETSCOUT believes in Visibility Without Borders. This is a multidimensional architectural concept that is the first step toward obtaining proper cybersecurity. Visibility Without Borders is a unique combination of comprehensive internal/local network visibility fused with external/global threat intelligence.
“The first dimension of Visibility Without Borders is breadth. It’s all about looking comprehensively across your network. That includes your traditional internal networks; your remote locations; and your public, private, or hybrid cloud environments,” says Bienkowski. “Having the ability to visualize end-to-end conversations within or across hybrid cloud environments is one of the biggest challenges organizations have today.”
The concept of Visibility Without Borders encompasses the entire network and the entire globe—including hybrid cloud environments—and provides visibility into the traffic traversing north-south as well as east-west directions. Visibility Without Borders is the foundation for comprehensive and effective cybersecurity. Without it, security teams run the risk of missing cyber threats that can severely impact their organizations.
To maximize the effectiveness of that comprehensive visibility, network operations, and security operations teams must collaborate and work from the same data set. The operational performance perspective can help inform the security perspective, and vice versa. “The technology is easy; human beings are difficult,” says Bienkowski.
“Getting teams to change and collaborate is hard. You can start with the recognition of the value both teams provide. ‘Hey, the network folks have lots of information on the wire that security teams could leverage,’” he says. “Just open those lines of communication, and then formalize those relationships over time. Let the benefits become apparent. That is the fuel to collaborate further.”
Smart Data Fuels Insights
Achieving pervasive visibility is that first critical step. The next dimension in Visibility Without Borders is “depth.” Deriving key metadata and ultimately packets from the monitored network traffic provides a level of context and insight that can inform network performance and/or security use cases. The volume and variety of this data can prove overwhelming though. Generating a higher, more valuable level of data that provides greater insights—what NETSCOUT calls Smart Data—is also a critical step.
“You have to go abroad, but that visibility can’t be a thin layer,” he says. “You have to gather wire-based metadata to drill deeper into those conversations. With that level of Smart Data, you can gain more context. For example, who is this person communicating with the database server? Or determine things like ‘Are there any communication errors they’re experiencing?’ The ultimate source of data for this type of information is the network packet.”
This depth of data provides better insight into the lines of communication to help security teams determine whether or not they are seeing something about which they should be concerned. “If this is a critical database server and they are seeing communication from a point that should not be talking to it or an increasing number of error messages or slowdowns in communication, that’s data [on which] they need to focus.”
Such a massive volume of data is required to achieve this level of visibility. Providing greater context around the data helps ensure sharper focus. Smart Data is the reliable signal in the noise of all the traffic moving through the aggregated enterprise data streams. Smart Data is structured, presented in context and in real-time, and based on complete enterprise visibility.
Then beyond both the breadth and the depth of visibility, organizations must infuse a global awareness of cybersecurity threats. “At NETSCOUT our Active Threat Level Awareness System [ATLAS] sees approximately one-third of the world’s internet traffic. From this vantage point, we gain a unique perspective into threats on a global basis,” he says. “Via our ATLAS Intelligence Feed, we infuse that global threat intelligence and awareness into the customer’s local wire-based data. That’s the third dimension [of Visibility without Borders]: breadth, depth, and that perspective of threat intelligence.
“If you take off the network management glasses and run that same set of traffic through the security perspective or lens, you’ll see a different view,” says Bienkowski. “Smart Data is infused with cybersecurity threat intelligence to expose new issues and threats. We’re expanding upon visibility with depth, breadth, and making data smarter, which helps network ops and security ops make informed decisions about which events to prioritize.”
So not only does NETSCOUT Smart Data help operations teams resolve complex network and application performance issues but it also helps security teams detect, investigate, and mitigate cyber threats more efficiently and completely. Smart Data enables:
- Advanced data analytics based on actionable data
- Quality business insights for better decision-making among security and IT teams
- Seamless collaboration and operational efficiency of network and security teams
Global visibility—Visibility without Borders—and providing actionable data that can inform the decisions of network operations and security operations teams are truly the foundation of effective cybersecurity and operational efficiency.
Cybersecurity Enhanced with Visibility
SecOps Teams Collaborate with NetOps Team for Data Center Transformation At this particular organization, the NetOps and SecOps teams were traditionally siloed. They each relied on their own set of tools and rarely communicated or collaborated. But as business demands grew and network environments became more software-defined and virtualized, it soon became apparent that all IT teams (NetOps, SecOps, and DevOps) must collaborate to support the business and to guarantee availability, performance, and security.
The organization was in the midst of a data center transformation project during which it was migrating select workloads to a virtual cloud-based environment. DevOps worked closely with NetOps to ensure that they had the means to provide end-to-end visibility into these applications and ensure proper performance.
Although SecOps had its budget for cybersecurity tools, it chose to leverage the same NETSCOUT network management solutions being used by DevOps and NetOps to secure the digital transformation. They are now formalizing playbooks between all departments to use a common set of NETSCOUT-based network visibility and Smart Data solutions for threat investigation purposes.
Ad Hoc Investigation of Compromised Internal Host in Virtual Environment As the modern-day network becomes more virtualized, it’s becoming harder for security teams to provide the proper level of security. In this case, a security analyst was investigating what was determined to be a high-risk alert, according to the organization’s SIEM.
The security analyst started tracing communication from an internal compromised host, using the organization’s existing security tools, but the investigation soon hit a dead end when visibility into the host communicating with the company’s cloud-based application, which also housed confidential customer information, was lost.
Knowing that the network teams had NETSCOUT visibility solutions in place that could provide end-to-end visibility across the entire organization (including external-to-VM or VM-to-VM communication inside the cloud environment), the security analyst placed a call to the organization’s network counterparts. Using the only IP address of the suspect compromised internal host, the network team was able to quickly identify all communications to and from this host—including the virtual machines running in the cloud-based infrastructure. Fortunately, detailed session analysis and packets determined that the compromised internal host had neither accessed nor exfiltrated confidential customer data stored in the cloud. This use case demonstrates how NetOps and SecOps can share a common set of wire-based metadata and packets for threat investigations.