Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Martin Roesch of Netography examines why cybersecurity struggles with network visibility, and what can be done about it.
For the better half of a decade, SecOps has been focused on the SOC visibility triad, the ideal of obtaining visibility into logs, endpoints, and the network with a variety of specialized solutions. Unfortunately, traditional network security solutions, such as network detection and response (NDR), have been unable to keep pace with digital transformation trends, such as cloud migration. The slow and steady adoption of the cloud, combined with the sudden and irrevocable shift to enable work from anywhere, has atomized the network.
To understand this atomization is to understand why network security solutions based on legacy architectures are no longer practical. In short, a dispersed, multi-cloud computing model is beyond the capabilities of legacy technology solutions, and the broad utilization of encryption has scrambled network traffic to the point that these solutions cannot inspect it, all while the deployment and management of appliances or sidecars and alerts have become increasingly complex and time-consuming.
Networks are Hybrid and Multi-cloud in Practice
Within dispersed environments, users can access corporate data in cloud applications from their personal devices – often with no clear boundaries between them. Users, devices, applications, and data are everywhere. Cloud computing tends to magnify this complexity, while its on-demand capabilities and the unmanaged nature of many devices, both on-premise and remote, contribute to the ephemeral nature of this environment. These unmanaged devices include the personal devices of remote workers, as well as IoT devices, networking devices (e.g., switches and routers), and devices connected to complex operational technology (OT) environments.
As a result, security and management solutions also tend to be dispersed across a diverse set of teams, responsibilities, and tools. Consequently, organizations typically have a fractured view of their environment. Solutions such as NDR fail to address blind spots because they are unable to provide visibility into many cloud services and unmanaged devices.
Encryption Blinds Legacy Security Technology
When it comes to encryption, it can be both the solution and the problem. NDR solutions cannot inspect traffic they cannot decrypt. Workarounds for this challenge tend to be complex and costly to implement. It is vital for organizations to be able to obtain a level of visibility into this traffic because privileged access tends to be encrypted, such that threat actors could take control of a valuable account without being detected if they’re not being observed by any security technology due the deployment limitations of security technology. This is not to say that organizations should abandon encryption, but it does mean that organizations need to bring their visibility capability up to the maturity level of their encryption.
Legacy Solutions are Complex to Deploy and Time-Consuming to Manage
When security teams analyze the effectiveness of traditional network security solutions, many find that they have gaps in coverage because they cannot deploy sensors everywhere. Decisions tend to be made balancing risk with a budget, which frequently results in NDR deployments into data centers and nowhere else. Deploying sensors and agents on cloud workloads is expensive and technically challenging. Unfortunately, when an event happens outside the purview of these sensors, a security analyst is left in a fog.
Even when NDR solutions are able to inspect traffic, detection often falls short because NDR solutions lack granular policy management. Security teams should already have operational compliance policies that dictate the communication patterns of devices and users. For example, they know that an operational technology (OT) device should never connect to a non-RFC1918 address, but NDR solutions are unable to create rules that match this sort of criteria due to a lack of being able to consider the context.
Go With the Flow – NetFlow Data
Next-generation firewalls (NGFWs) and intrusion prevention systems (IPS) face the same problems outlined above. Essentially, any solution that relies on deep packet inspection (DPI) delivered through a hardware appliance is ill-equipped for the realities of a modern network. Consequently, many organizations are struggling with visibility into their network. The good news is that organizations have become aware of these challenges and are ready to face them. But how?
It turns out there is a more innovative approach to examining network traffic in order to detect and protect against attacks. If we refer back to the SOC visibility triad, organizations can leverage metadata data in the form of NetFlow data for network intelligence in the same way they leverage logs for security information and event management (SIEM).
NetFlow data is a digital record of network connections, which includes source and destination IP, traffic volume, and the type of service used (among other details). NetFlow data can be obtained from multiple sources at once, and, when enriched with context, provides a comprehensive and real-time view of the network. This sort of real-time monitoring enables organizations to detect advanced attacks that may otherwise go undetected. Furthermore, NetFlow data provides a historic record for SOC teams tasked with incident response and threat hunting. Having the ability to retrospectively research network activity enables organizations to stay a few steps ahead of threats. NetFlow data also enables security teams to keep pace with the speed of change in modern networks, as these digital records can be obtained from on-premise and cloud environments.
Final Thoughts on Network Visibility
Fortunately, there’s no need to capture and inspect full packets when visibility into network traffic can be made based on metadata from the network itself. Modern enterprise networks lend themselves to modern solutions that go beyond relying on DPI. NetFlow-based methods provide a more scalable, flexible, and comprehensive path to achieving visibility into atomized networks.