The Network’s Role as a Security Sensor and Policy Enforcer

According to ESG research, 79% of cybersecurity professionals working at enterprise organizations (i.e. more than 1,000 employees) believe that network security management and operations is more difficult today than it was two years ago (note: I am an ESG employee).  Why?  Infosec pros point to a combination of increasingly dangerous cyber-threats, new IT initiatives like cloud and mobile computing, legacy point tools, and growing security operations overhead. 

This troublesome situation should be unacceptable to CEOs, CIOs, and CISOs alike as it increases IT risk and makes it difficult for the cybersecurity team to detect and respond to incidents when they occur.

So what can be done to address these problems?  Get the network to pull more weight across the entire threat lifecycle with:

• Advanced prevention.  Legacy network security controls like firewalls, IDS/IPS, and endpoint security alone are inadequate but that doesn’t mean we should throw the network out with the cybersecurity bath water.  Today’s networks can offer much more intelligent and granular layers of defense if used more creatively.  For example, SDNesque technologies from Cisco (ACI), Juniper (Contrail), Nuage Networks, vArmour, and VMware (NSX) offer simplified ways to segment networks more effectively and protect critical assets.  On the network access side, Aruba, (HP), Bradford Networks, and ForeScout provide visibility into what’s on the network and policy enforcement capabilities to limit device access and activities.  Now none of these actions will eliminate all threats but they can be used to greatly decrease the attack surface.
• Incident detection.  Cisco talks about using the network as a sensor and I wholeheartedly agree.  As the old saying goes, “the network doesn’t lie,” meaning that malicious payloads, scans, and connections are ultimately transported over networks.  Security professionals can gain greater visibility into disreputable network activities by capturing and analyzing network telemetry such as NetFlow data, full packet-capture (PCAP), DNS logs, etc.  Vendors like Lancope, LogRhythm, IBM, and Splunk do this quite well.  When you combine network knowledge with endpoint telemetry (i.e. from Carbon Black, Guidance, Great Bay Software, RSA, Tanium, etc.) and threat intelligence you should be able to improve your ability to baseline normal behavior and identify anomalous behavior in an accelerated timeframe. 
• Incident response.  Once suspicious behavior is identified, security teams want to limit damages and fix problems as quickly as possible.  To this end, IR processes can be automated using API-based integration between detection tools and network infrastructure.  The goal, use network-based capabilities and security controls to limit exposure.  Many organizations are starting to employ Integrated Cybersecurity Orchestration Platforms (ICOPs) from vendors like Invotas, Phantom Cyber, Resilient Systems, or ServiceNow to bridge these two worlds.  When the CEO’s system suddenly connects to an unknown domain, downloads files, and then reach out to suspicious IP addresses, the network can be instrumented to automatically quarantine the system and guide it to a remediation VLAN. 

With the growing proliferation of API-based tools, this type of network security architecture more possible today than it was in the past.  I expect further rapid progress across the industry in the future. 

I realize that building these capabilities may take time as organizations align security policies with business processes, integrate disparate tools, and get cybersecurity, network operations, data center infrastructure, and business application teams marching in the same direction.  Yup, there’s work ahead but truth-be-told, we need to do everything we can to make cyber-attacks more difficult for the bad guys while we make cybersecurity operations much easier for the good guys.  Networks will play a starring role in the overall effort to make this happen.