In Cybersecurity, the Network Doesn’t Lie

Organizations are collecting, processing, and analyzing more and more network traffic.

In a recent ESG research report, enterprise security professionals were asked to identify the primary objectives associated with their organization's network security strategy (note: I am an ESG employee). It turns out that 40% of organizations plan to move toward continuous monitoring of all assets on the network, while 30% plan to capture more network traffic for security analytics.

This data supports a general trend – many organizations are rapidly increasing their activities around network security data collection, processing, and analysis. Of course, this isn't exactly news. Many enterprises have used security analytics tools based upon NetFlow for many years. Security analysts also have a history of including full-packet capture (PCAP) tools for their investigations. Many use open source software like TCPdump or Wireshark. NetWitness astutely recognized this use case a few years ago, built a successful business around PCAP collection analysis, and ultimately cashed in when RSA Security came calling.

Why all the security focus on the network? As the old network security adage states, "the network doesn't lie." Yes, networks may hold secrets within encrypted traffic, but network traffic analysis can inevitably expose the Tactics, Techniques, and Procedures (TTPs) used in cyberattacks. If you look at network traffic from L2-7 and understand the connections, protocol, Meta data, and content contained in the packets, you have almost everything you need to detect and respond to cyberthreats.

Yup, organizations are already bolstering their network data collection, processing, and analysis, but in my humble opinion, we are just scratching the surface of this trend. I truly believe that network traffic analysis will increase precipitously over the next few years, driven by:

  • The use of packet-broker technology. Packet-broker technology from companies like Gigamon, Ixia, Netscout, and VSS Monitoring have become a staple within large enterprise and service provider networks. Security teams will likely take full advantage of packet brokers as this type of overlay network can capture and route network data to centralized security analytics engines – a much more efficiently method than installing probes, tapping into span ports, or analyzing network data on a segment-by-segment basis.
  • SDN. As SDN proliferates, networks will come with basic packet broker technology built in. This too will encourage greater collection, centralization, and analysis of network traffic. SDN may also accelerate the integration of security analytics and network security infrastructure to automate remediation actions. 
  • Cloud visibility. Aside from internal network security data, large organizations need similar visibility as they move more and more workloads to the cloud. Startups like Evident IO, Netskope, Threat Stack, and vArmour are intent on monitoring cloud activity while IBM, McAfee and Trend Micro are extending current products to place security eyes and ears in the cloud. 
  • NIC innovation. Vendors like Emulex and Solarflare can capture and process data at the NIC card level based upon rules and triggers. This capability can help security analysts filter through the noise at lightning speed so they can focus their investigations so it's likely that this NIC card technology will gain traction – especially with cloud service providers. 
  • Bundled offerings. IBM, Lancope and LogRhythm are already adding network forensics to their existing security analytics offerings while vendors like FireEye, Hexis Cyber Solutions, and RSA Security offer analytics solutions that dig into security data across endpoint forensics, network forensics, and external threat intelligence. Splunk is also more than willing to gather and examine network traffic for security and IT operations purposes. 

It's not likely that enterprises will copy and store every packet that ever crosses their network, but I have no doubt that they will collect, process, and analyze more and more network traffic each year. This will should help improve security analytics as it ignites new market opportunities for security analytics, network hardware/software, storage devices/services, network management vendors, and MSSPs. 

Copyright © 2015 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline