Visibility Use Cases for Network Security Architecture

With the increasing sophistication of cybercriminals, it is more important than ever to find bad actors and malevolent activity before it’s too late. This is where network visibility goes hand-in-hand with your security efforts. Learn more about visibility use cases that can help.

Visibility Use Cases for Network Security Architecture
Visibility Use Cases for Network Security Architecture

To prevent network security breaches, you need a robust security architecture and part of that is network visibility. Read on this article to learn how tool chaining, data filtering, application intelligence, and other visibility use cases can help you detect and minimize threats.

Most enterprises have hidden network and application vulnerabilities that can have disastrous consequences. To prevent network security breaches, you need to create robust security and visibility architecture.

This article outlines key network security topics that can help you detect and minimize security threats, including:

  • data filtering
  • improved network uptime
  • application intelligence
  • out-of-band data filtering
  • high availability
  • n+1 redundancy
  • network packet brokers for decryption
  • threat intelligence gateways
  • serial tool chaining of data
  • self-healing inline security architectures
  • honeypots
  • ASA firewall migrations
  • SIEM integrations

Read on this article about how to implement these use cases.

Content Summary

Data Filtering for Rapid Forensic Investigation Limits Breach Damage
Improve Network Uptime with External Bypass Switches
Application Intelligence Captures Indicators of Compromise
Out-of-Band Data Filtering Improves Security Tool Efficiency
High Availability Makes Inline Security Tool Deployments More Reliable
N+1 Redundancy Delivers Reliability at a Fraction of the Cost of High Availability
Easily Enable Appliance-Based SSL Inline Decryption with an NPB
Simplify Inline SSL Decryption Using an NPB with Integrated Decryption
Threat Intelligence Gateways Reduce False-Positive Security Alerts
Serial Tool Chaining of Data Improves the Data Inspection Process
Self-Healing Inline Security Architectures Maximize Network Availability
Protect Your Network with an NPB and a Honeypot
Save Time and Money When Deploying ASA Firewall Migrations
SIEM Integrations Automate Threat Detection and Mitigation
Conclusion

Data Filtering for Rapid Forensic Investigation Limits Breach Damage

Solution summary

  • An integrated security and visibility architecture can help you stop, and detect, as many network security threats as possible.
  • Create network packet broker (NPB) filters to collect Layer 2 through Layer 4 data and send it to a data loss prevention device (DLP), an intrusion detection system (IDS), log file tools, or other security tools for analysis.
  • Perform forensic analysis to see data exfiltration attempts and limit data loss.
Data Filtering for Rapid Forensic Investigation Limits Breach Damage
Data Filtering for Rapid Forensic Investigation Limits Breach Damage

Solution Overview

An integrated security and visibility architecture can help you detect and stop as many network security threats as possible. Just purchasing security tools is not an effective approach. The addition of taps and an NPB can help you capture either widespread or highly granular pieces of network data. They can also distribute that data to security tools, such as a DLP, next-generation firewall (NGFW), or IDS, for analysis.

Well-designed NPBs allow information technology (IT) engineers to selectively screen data based on various criteria, such as routing protocol, IP address, VLAN, and application type. They deliver that data to the security tools (for example, a DLP) for deep packet inspection. The DLP extensively reviews suspect traffic, analyzes it for threats, and then passes the threat information on to other devices.

It is possible to pass NetFlow data to security and analysis tools, such as security information and event management (SIEM), for analysis and security decisions. The SIEM could quarantine the information or deliver it to a storage device so that an IT engineer can review the data as part of a possible breach and remediate the threat.

Improve Network Uptime with External Bypass Switches

Solution summary

  • Eliminate single points of failure for inline tool deployments with a bypass switch.
  • The MTBF of an external bypass switch can be five times better than an integrated bypass.
  • You have more flexibility to add or remove inline security tools without network impacts.
  • External bypass switches eliminate downtime caused by tool upgrades or removal.
Improve Network Uptime with External Bypass Switches
Improve Network Uptime with External Bypass Switches

Solution Overview

An external bypass switch allows fail-safe deployments of inline security and monitoring tools to ensure high availability (HA) and maximum uptime. The purpose of a bypass switch is to eliminate the pain of direct deployments of inline tools. While directly deploying inline security tools can create a line of defense, these inline deployments can result in single points of failure. If an inline tool becomes unavailable, it can bring down the network link, significantly compromising network uptime and disrupting business continuity. According to Enterprise Management Associates (EMA), this can be a significant problem for the almost 20% of IT enterprises that directly deploy inline security tools and the 40% that deploy internal bypass solutions instead of external-based solutions. Even a strong mix of security and analytics tools can impact network availability as regular patches, upgrades, and the reboots they cause mean that even if nothing ever breaks, you need to plan for scheduled downtime to accommodate those reboots.

Bypass switches fit into the existing networking ecosystem, allowing the network to function as designed without forcing changes to accommodate network visibility components. However, bypass switches give you more flexibility to add or remove inline security tools without network impact. When the fail-open bypass function is activated, all traffic can continue downstream. The failover time is typically less than 10 milliseconds. If you prefer a fail-closed option (where no traffic continues in or out of the network), that is available as well. Link Fault Detection (LFD) indicates typical failures. However, a self-healing architecture deployment using heartbeat messages (passed back and forth between the bypass and NPB / tools to ensure network availability) works well.

The stand-alone (external) bypass offers superior protection when compared to a security tool with an integrated bypass option. For example, some external bypass switches have a mean time between failure (MTBF) of approximately 450,000 hours. This reliability can be up to five times better than security tools such as combined firewall and IPS solutions that have an MTBF of approximately 80,000 to 100,000 hours. Adding internal bypass capability further reduces the MTBF and reliability for those types of solutions. When replacing various security tools, the integrated bypass may need removal as well, destroying any supposed bypass advantage. An external bypass eliminates this issue.

Application Intelligence Captures Indicators of Compromise

Solution summary

  • Sixty-eight percent of breaches happen over days.
  • Create an NPB filter to collect detailed user geolocation, data transfer sizes, and more.
  • See data exfiltration attempts in real-time and stop them.
Application Intelligence Captures Indicators of Compromise
Application Intelligence Captures Indicators of Compromise

Solution Overview

Application intelligence can help improve network security by exposing indicators of compromise. Packet brokers can perform filtering and other functions for application data, flow data, and metadata to provide a higher level of intelligence in your visibility architecture. This intelligence provides actionable insight that you can use to see macroscopic trends and indications of issues across your network. Consider this: according to the 2016 Verizon Data Breach Investigations Report (DBIR), almost 68% of breaches happen over several days. Rapid response to security threats can help minimize the cost of a breach. Unfortunately, this is not the norm. According to the 2016 Trustwave Global Security Report, the average time for breach detection was 168 days. This gives intruders plenty of time to exfiltrate any data they want. What if you could reduce the 168 days to 168 seconds, or something like that? This use case is one example of how to do it.

One example is a bad actor located in Eastern Europe performing unauthorized data exfiltration. The bad actor gets into your network and starts transferring files from a server in Dallas. Application intelligence, or at least the Ixia version of it, can combine application information, bandwidth information, and geolocation information to show that someone in Eastern Europe has accessed a server in Dallas using File Transfer Protocol (FTP) and is transferring that data to a location in Eastern Europe. Is this a problem? Well, that depends on whether you have any authorized users in Eastern Europe. If not, consider investigating this as soon as possible. In any case, you have the information in front of you; it is up to you what you do with it. And it does not take 168 days to discover this. It is closer to 168 seconds.

Out-of-Band Data Filtering Improves Security Tool Efficiency

Solution summary

  • Business IP traffic will grow by a factor of nearly three between 2016 and 2021.
  • Not all data is of interest to security analysis. Use application intelligence to capture the right type of data and optimize data capture and filtering strategies.
  • Application intelligence can improve the efficiency of certain tools by up to 35%.
Out-of-Band Data Filtering Improves Security Tool Efficiency
Out-of-Band Data Filtering Improves Security Tool Efficiency

Solution Overview

Analyzing network traffic is expensive, and the amount of traffic on your network will triple between 2016 and 2021. Sifting through the results requires an extensive number of security tools and an extensive amount of time. A better, more cost-effective approach is to isolate data that has a higher probability of being a security threat and analyzing just that data. This approach allows you to cost-effectively scale your security solution. An NPB with application intelligence can provide the capabilities necessary to perform this task.

This is the out-of-band version of the inline use case shown earlier. A typical NPB focuses only on Layer 2 through 4 packet data and can direct data to security tools based on basic parameters. When using Layer 7 data, contextual information based on application type and routing information can provide another layer of screening.

For instance, suppose you work at a university that has an extensive amount of data flowing across the network for research file transfers, communications (voice and email), and video (videoconferencing and streaming apps for students living on campus). Screening all this data would take a long time and a lot of security tools. At the same time, some voice information (like voice over IP (VoIP) and Pandora) and some video information (such as Hulu, Netflix, and Amazon) may not be worth screening. By using application intelligence, an NPB could look at the data based on application type and filter this type of data out of the monitoring data analysis stream. An IDS can investigate data that still needs further inspection. Employing this approach can reduce the amount of traffic sent to an IDS by up to 35%, providing significant cost savings to university IT staffers. They have cut their IDS tool costs by one-third.

High Availability Makes Inline Security Tool Deployments More Reliable

Solution summary

  • The average cost of network downtime is $7,790 per minute.
  • Use HA to create full redundancy (n+n) for inline deployments of NPBs and bypass switches.
  • Heartbeats enable super-fast fail-over between bypasses and NPBs.
High Availability Makes Inline Security Tool Deployments More Reliable
High Availability Makes Inline Security Tool Deployments More Reliable

Solution Overview

This solution illustrates how you can increase network reliability and security by implementing survivability. There are two common options. One is full redundancy (typically with a primary and standby set of tools connected). The second option commonly called an n+1 option, is where you have all the tools connected and functioning with extra capacity. High-availability NPBs support out-of-band tools as well.

The full-redundancy option is highly effective at maintaining maximum network and tool uptime. You have a second copy of every component (bypass switch, packet broker, and tools) in the network. If one component or path fails, the secondary equipment can handle the load. While this option yields the highest level of MTBF, it also comes at a high price — doubling the cost for everything.

By using redundant external bypass switches and packet brokers, you can increase network uptime and reliability far beyond the level redundant tools alone provide. Also, the external bypass switch and packet broker can reliably connect the redundant tools in a more cost-effective and less complicated manner than special-purpose load-balancing devices. An external bypass approach has the benefits of delivering superior resilience because of its more granular failure detection, faster failover, and better application session integrity.

By deploying a redundant bypass switch and packet broker, you may not need a redundant set of tools. You could rely on the other equipment to provide reliability. This option could save you a lot of money since security tools can be expensive.

N+1 Redundancy Delivers Reliability at a Fraction of the Cost of High Availability

Solution summary

  • Deploy survivability to decrease risk and increase network security.
  • Inline deployments of NPBs and bypass switches using load balancing can create an n+1 survivability option.
  • This is a more cost-effective solution than HA but still delivers high reliability.
N+1 Redundancy Delivers Reliability at a Fraction of the Cost of High Availability
N+1 Redundancy Delivers Reliability at a Fraction of the Cost of High Availability

Solution Overview

Network security and monitoring tool survivability often refer to redundant tools, especially in the case of inline deployments. However, an alternative to HA is to implement an n+1 option for component redundancy. In this situation, you do not have a duplicate copy of tools waiting in a standby mode to take over should the primary equipment fail. However, you do not have to spend double the cost for a redundant solution as you do with HA. Until now, the cost has been a significant contributor to the limiting of n+1 survivability.

Security and monitoring tools are allocated to a specific port group on an NPB in this solution. Data traffic distribution happens evenly across the port group based on filtering criteria. Should a heartbeat message (for inline solutions) or a link failure message (for out of band) occur, the packet broker distributes data across the remaining tools in the port group. Once the failed tool becomes available again, the NPB will resume routing traffic to it.

For example, say you need four IPS tools to process your inline network traffic. In this case, you would add a fifth IPS. The packet broker would then load balance the traffic across all five IPS tools. Should any one of the tools fail, the packet broker can load balance the full load across any of the remaining four IPS tools. This approach provides a good level of survivability at a fraction of the cost of a fully redundant system.

If you would like to have more survivability, like an n+2 situation, you can do that as well — all the way up to a fully redundant set of tools. It depends on the level of risk you feel comfortable with and your budget.

Easily Enable Appliance-Based SSL Inline Decryption with an NPB

Solution summary

  • Up to 50% of all network security attacks in 2017 used encrypted traffic to bypass security controls.
  • Expose hidden threats with active decryption technology, such as A10 and Blue Coat.
  • NPBs allows for the distribution of encrypted data to decryption devices and then the distribution of the now-unencrypted data to various tools, such as NGFW, IPS, and DLP.
Easily Enable Appliance-Based SSL Inline Decryption with an NPB
Easily Enable Appliance-Based SSL Inline Decryption with an NPB

Solution Overview

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption are standards-based technology for transmitting private information. They protect data packets from inspection or corruption by unauthorized users. They use a combination of public-key and symmetric-key encryption to create an encrypted link between a server (typically a website or mail server) and a client (typically a browser or mail client). For most organizations, SSL traffic is already a significant proportion of their total web traffic. Many vertical market segments are subject to rigorous compliance protocols, such as the Payment Card Industry Data Security Standard (PCI-DSS) and the Health Insurance Portability and Accountability Act (HIPAA) of 1996, that demand SSL encryption. Such regulations aim to protect sensitive data traveling to banking-, merchant-, and healthcare-related websites.

Direct tangible threats in SSL-encrypted traffic include malicious code disguised by the encryption process. This malware is particularly sophisticated and likely to be part of an advanced, sustained attack on an organization. For example, in 2014, researchers found that Dyre malware was capable of capturing and transmitting data before encryption occurs. Another example is the Zeus botnet, which uses SSL communications to upgrade itself.

Encryption can hide other threat indicators as well. An example includes signs that a malicious party is probing or scanning the network, looking for vulnerabilities. They are evidence of potential hacks or network intrusion attempts and include anomalies in network traffic flows such as traffic traveling a path it would not normally take or an unusual traffic volume. Without being able to see what is in the encrypted traffic, it is far more difficult to identify these anomalies.

An NPB can pass the encrypted traffic to an SSL decryption appliance. This solution offers complete visibility and control of encrypted traffic without requiring the re-architecture of your network infrastructure. You can add policy-based SSL inspection and management capabilities to your network security architecture to remove encrypted traffic blind spots. In addition to this SSL decryption method, there is also an integrated NPB approach described elsewhere.

Simplify Inline SSL Decryption Using an NPB with Integrated Decryption

Solution summary

  • The use of encryption to hide malware is proliferating. As of 2017, more than half of network attacks hid in SSL-encrypted traffic.
  • SSL inspection generates a significant performance overhead on security tools.
  • An NPB with integrated SSL / TLS decryption capability offloads this burden without impact.
Simplify Inline SSL Decryption Using an NPB with Integrated Decryption
Simplify Inline SSL Decryption Using an NPB with Integrated Decryption

Solution Overview

Most enterprise applications use SSL encryption, or its updated TLS version, to thwart security attacks and hackers. Unfortunately, these bad actors have adapted to the new security defenses and use encryption to their advantage. Bad actors are increasingly obfuscating malware with encryption, in fact over half of the recorded network attacks in 2017 were hidden in SSL-encrypted traffic.

Integrated decryption capabilities, along with application intelligence, can provide an easy and cost-effective way to examine suspect data. For instance, there is no need to have a SIEM try to correlate information from multiple sources, direct data to and from decryption tools, and then track the flow of information to security and analysis tools. With an integrated decryption approach, data decryption happens at the NPB. Then the NPB forwards the data straight to special-purpose tools. Encryption details are available from NetFlow to the SIEM or other devices.

The NPB has no impact on application performance. For example, this capability can decrypt the Simple Mail Transfer Protocol (SMTP) traffic and hand it off to an antivirus tool for virus and malware inspection. Other decrypted data passes to a DLP device for deep packet inspection. This process does not require any other resources on a firewall or other device.

Encryption also makes troubleshooting and performance monitoring much more difficult. Integrated decryption capability allows the NPB to quickly perform this function and forward the clear data to the right troubleshooting tools for analysis. Another benefit of an integrated decryption approach is that you can easily get a better understanding of the strength of your network encryption. Are your apps using strong encryption algorithms, or is there a mixture of strong and weak? This approach lets you know.

Threat Intelligence Gateways Reduce False-Positive Security Alerts

Solution summary

  • Security teams at large enterprises waste more than 20,000 hours per year chasing false-positive alerts.
  • Pre-filter unwanted traffic to reduce the workload for monitoring tools by up to 80%. This also reduces false positives of security breaches.
  • Generate a return on investment (ROI) of up to 15 times.
Threat Intelligence Gateways Reduce False-Positive Security Alerts
Threat Intelligence Gateways Reduce False-Positive Security Alerts

Solution Overview

Even with firewalls, IPS tools, and a wide array of other security tools in place, businesses still miss clues and suffer major breaches every day. Why? The sheer volume of alerts generated places a huge processing drain on the security team and the infrastructure itself. This translates into wasted time and money, as well as an increased risk of falling victim to an attack.

A 2015 Ponemon Institute report found that security teams at large enterprises waste more than 20,000 hours per year chasing false-positive alerts. By eliminating up to 80% of SIEM alerts for unwanted traffic like botnets and ransomware, threat intelligence can save companies thousands of hours per year that resulted in an ROI of 15 times for one Ixia customer.

By pre-filtering known bad IP addresses and traffic from untrusted countries, you can stop unwanted traffic from ever reaching the firewall. Blocking large volumes of traffic based on IP address, location, and bad behavior enhances your security architecture performance and reduces your team’s “alert fatigue.” Automatic system updates eliminate the need for manual updates of known bad IP addresses. This saves hours of configuration time over a firewall approach. Ixia’s solution, ThreatARMOR, detects infected systems to thwart attempts to contact command and control infrastructure or exfiltrate your valuable data and intellectual property.

Serial Tool Chaining of Data Improves the Data Inspection Process

Solution summary

  • Send data to tools sequentially for detailed analysis of suspicious data.
  • Serial data chaining can be powerful but is hard to implement without an NPB.
  • Preset NPB toolchains ensure that actions occur in the proper sequence.
Serial Tool Chaining of Data Improves the Data Inspection Process
Serial Tool Chaining of Data Improves the Data Inspection Process

Solution Overview

Tool chaining is a powerful solution for automating the sequential movement of data packets in security monitoring solutions. It partitions out suspect data and passes that data through additional security inspections. The NPB enables this functionality. Suspect data passes back and forth between an NPB and multiple security tools (such as IDS, DLP, SSL, WAF, and NGFW). Security tool chaining delivers the interoperability needed to make network security protection mechanisms truly successful.

Security and monitoring tools can link together using software provisioning to control the flow of data through the selected services. The data inspection can occur in parallel or serial paths, depending on the situation. One or more tools assigned to a port or port group on the NPB ensures the proper flow of data. A well-designed NPB can support complex service chaining with many tool groups in parallel, serial, or a combination.

For example, data passes to the NPB from the bypass switch. You can filter encrypted traffic based on protocol, for example sending Hypertext Transfer Protocol Secure (HTTPS) traffic to a decryption device. Once the decrypted data return to the NPB from the SSL decryptor, it can then pass to an IPS for inspection. Packets without anomalies move along quickly to maintain maximum response time. A common example is the use of an IPS solution to filter out suspicious traffic for further analysis by other tools in the daisy chain. Traffic without exception goes back to the network, minimizing latency. The NPB sends data flagged for additional inspection to another port group that might contain a DLP or some other device for further analysis. Based on that analysis, the data gets deleted, is deemed non-threatening, and gets passed on into the network or requires further analysis or quarantining.

Self-Healing Inline Security Architectures Maximize Network Availability

Solution summary

  • Business IP traffic will grow by a factor of nearly three between 2016 and 2021.
  • Heartbeat technology in NPBs and bypass switches can help create a self-healing architecture.
  • Negative heartbeats can validate that firewalls are working correctly.
Self-Healing Inline Security Architectures Maximize Network Availability
Self-Healing Inline Security Architectures Maximize Network Availability

Solution Overview

Today’s data networks are crucial to a typical business as they affect employee productivity, e-commerce, communications, and more. Because of this, data networks need more reliability. Implementing bypass switches, inline NPBs, and HA architectures are part of the solution. Another part of the solution is to create self-healing networks.

For instance, while link-state awareness capabilities in a bypass switch or NPB provide HA for tool failures that result in downlinks, other types of failures may occur without downing a link. Heartbeat checking monitors the health of attached inline monitoring devices by transmitting small heartbeat packets at regular intervals out of the bypass or NPB ports that connect to the security tool, such as an IPS. The IPS should pass the packet back to the transmitting device. If the bypass or NPB does not receive the returning heartbeat packets within a heartbeat interval, and after a specified number of retries, the IPS is considered down. Typical heartbeat intervals are 100 milliseconds with a minimum of two retries, but this is customizable. The NPB will continue to Find us at www.ixiacom.com Page 17 issue heartbeat packets to the IPS, and upon acknowledgment of returning heartbeat packets, traffic will resume flowing to the IPS, creating a self-healing loop. If the heartbeat message is not received and only a bypass is installed, and no redundant IPS, then the bypass can initiate a fail-over to allow the network to remain up. Once heartbeat messaging returns, the bypass functionality disengages.

Multiple layers of heartbeat messaging are available — for instance, one layer between the bypass switch and the NPBs and a second layer between the NPBs and the tools. Also, different heartbeat signals exist. The case just described is the normal heartbeat. A second type is a negative heartbeat. In this situation, the NPB sends a “threat” heartbeat to a firewall. The firewall should block the heartbeat since it is a threat. However, if the firewall starts to pass the heartbeat, either there is a configuration error on the firewall, or it is in failure mode, letting packets pass through freely. If the NPB detects that negative heartbeats are appearing, it will stop sending traffic to that firewall as there is a problem If the heartbeat cannot penetrate the firewall, that means the tool is alive and working as expected.

Protect Your Network with an NPB and a Honeypot

Solution summary

  • Since security threats continue to morph, the deception technology market continues to grow at a compound annual growth rate of 9%.
  • Decrease IPS false negatives and positives by deploying a honeypot.
  • You can use an NPB to divert suspect traffic to a honeypot for further analysis.
Protect Your Network with an NPB and a Honeypot
Protect Your Network with an NPB and a Honeypot

Solution Overview

A honeypot is a purpose-built security device to detect and lure in-network hackers to study how they entered a network, what they are looking for, and which threat vectors they are employing. This device is often separate from the main corporate network, but it should mimic the production environment to provide a realistic experience.

Another use case is for some professional security organizations and agencies is to use distributed honeypots. to lure hackers to their honeypots., This deployment scenario would be an out-of-band use case to determine if and where the network has been infiltrated.

You can use a properly designed visibility architecture with inline bypass switches and NPBs to capture network data associated with a breach and direct that data to specific security tools, like an IPS or DLP, for analysis. Once suspicious data becomes identified, it is eliminated or directed to the honeypot for analysis. The use of honey pots can also take the burden off your IPS and decrease the number of false positives and negatives for security threats.

The IPS, which connects to a SIEM, determines the criteria for flagging bad data. Based on the exchange of that information, the SIEM typically decides that the data from a particular IP address is bad and communicates that to the IPS, which can tell the NPB that data with a specific source and destination IP addresses is bad. The NPB can then send that data out through a tool port to the honeypot. Alternatively, the SIEM could communicate directly to the NPB through a Representational State Transfer (REST) interface to divert that packet data to the honeypot.

Save Time and Money When Deploying ASA Firewall Migrations

Solution summary

  • Between 5% and 10% of all network, downtime is associated with network maintenance.
  • Use a bypass switch for fail-safe migrations to Cisco Firepower security appliances.
  • Cut deployment times for Firepower upgrades from four hours per tool to four minutes.
Save Time and Money When Deploying ASA Firewall Migrations
Save Time and Money When Deploying ASA Firewall Migrations

Solution Overview

Network architectures continually change. One of the newest improvements is to add an NGFW to increase application security. Other solutions, such as an IPS, have been around longer. The list of inline security tools is growing rapidly. ZK Research estimates that enterprises deploy an average of 32 security solutions on their networks. If you deploy inline tools directly onto the network, maintenance becomes a nightmare. The simplest and most effective remedy is to insert bypass switches before the devices, providing an easy fail-over mechanism for maintenance-related activities.

Maintenance windows are precious. The amount of time for the window is usually only a few hours, and the downtime requires scheduling and approval by a change control board. The period between windows can last for weeks. Therefore, IT teams need to take full advantage of a window. When it comes time to upgrade your Cisco Adaptive Security Appliance (ASA) to a dedicated Firepower appliance, you want to minimize the time spent configuring a resilient path for Firepower upgrades. A typical IPS installation can take two to four hours, which is a lot of downtimes.

The solution is to install an Ixia external bypass switch, which takes only about four minutes since it is already preconfigured for Cisco solutions. This allows you to cut deployment time for a Firepower upgrade from four hours per tool to four minutes. Using the bypass switch in tap mode, traffic flows into your live network while also being replicated to the Firepower IPS. Once IPS configuration and testing finishes, insertion inline takes place with no further network disruption. The network downtime benefits of using an external bypass are significant when you have dozens of IPS upgrades.

SIEM Integrations Automate Threat Detection and Mitigation

Solution summary

  • SIEMs use log data to detect anomalies.
  • NPBs can automatically respond to SIEM REST calls with near real-time actions.
  • Faster responses to problems result in faster incident detection, faster mean time to resolution (MTTR), and reduced risk.
SIEM Integrations Automate Threat Detection and Mitigation
SIEM Integrations Automate Threat Detection and Mitigation

Solution Overview

Dynamically changing security threats mean that what an enterprise needs to monitor is constantly changing. Increasing network speeds also make it impractical to perform deep packet inspection on all traffic. Automation of network monitoring allows you to align your tools with dynamic network changes to increase operational efficiencies and create an adaptive monitoring environment.

SIEM solutions can assist in this area. They record log data of what machines are doing. SIEMs then aggregate, analyze, and correlate the log data to detect anomalies. However, SIEMs do not provide packet-level visibility to analyze anomalies in detail. While most enterprises use SIEMs for reporting and compliance, mitigation is an up-and-coming use case. Packet-based tools such as forensic recorders, IDS, and sandbox solutions provide needed detail, but often it is impractical to deploy them everywhere.

SIEM integration allows customers to leverage their investments in SIEM and packet-based tools to dynamically adjust what they monitor and protect. SIEM solutions on the market include IBM QRadar, Micro Focus ArcSight, LogRhythm, and McAfee. Manual processes require automation to speed incident detection and mitigation. Operational expenditures (OPEX) and capital expenditures (CAPEX) costs can also see reductions.

This adaptive monitoring solution allows the automated data center controller to send commands to an NPB using a RESTful interface to initiate various functions (for example, apply filters or add connections to more tools) in response to external commands. REST application programmable interface (API) calls from the SIEM reconfigure the NPB to send traffic of interest to any connected security tool.

Conclusion

Creating visibility into your network is key to maintaining a secure network architecture. Yet many organizations have numerous blind spots that prevent true network visibility. Common reasons for blind spots include departmental silos, virtualization technology, rogue IT, SPAN port usage, new equipment, and overall network complexity.

It is not enough to purchase ever-growing numbers of security tools to better protect a network. A visibility architecture is a way to see the network more clearly, organize your network monitoring strategy, and then integrate that strategy with other strategies — such as network security. Data filtering, external bypass switches, application intelligence, and HA configurations enable you to gain network visibility and better secure your network.

Source: Ixia