Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Listening to the network

Keeping IT and security operations separate risks weakening network security effectiveness. Integrating data, process and people helps to build more secure infrastructures.

Phil Hollows

Security technologies exist for one reason: to protect the enterprise's IT assets, because without that protection an organization's network, applications and intellectual property -- its very lifeblood -- is at risk. While network security professionals are tasked with protecting the IT infrastructure supporting the business, the IT infrastructure is often neglected by security or risk management teams, as it is the domain of IT or operations. Yet the network, and the applications that run on it, can bring essential perspective to security professionals. In fact, an IT organization that keeps IT and security operations separate risks weakening network security effectiveness, whereas those that integrate data, process and people are much better equipped to prevent compromises, comply with audit and legal regulations, and build more secure, better performing IT infrastructures for their organizations.

Nothing makes this clearer than the most recent Sasser outbreak. Traffic generated by Sasser effectively rendered both vulnerable and invulnerable servers alike unreachable as enterprise networks were crushed under the traffic spikes.

The network is the biggest security sensor you have
To conduct effective, in-depth network security, enterprises need to draw on the insight that can be gleaned from network events from systems such as servers, routers, switches, applications and desktops. By correlating both network events and security events (firewalls, IDS, AV, and VPN), IT operations can provide a greater understanding of a threat's impact, and can even identify an active attack ahead of traditional standalone security sentry systems.

This is particularly true for attacks that arise from inside your network. With strong perimeter protection in the form of various firewall classes, intrusion detection and intrusion prevention systems, senior managers may be convinced that they've done enough to secure their enterprise. Yet a single mobile user or a consultant with an un-patched laptop (or a disgruntled or corrupted employee) can wreak havoc internally as soon as they get their DHCP lease and access the network. If you only have perimeter defenses, you will be unable to detect the compromise until it's too late. And studies consistently show that the most expensive, highest risk attacks are those that come from inside the company (see "Managing the threat from within" ).

By monitoring critical system and network performance metrics with an eye to security, you can help discover such breaches early in the attack cycle, reducing your remediation chores and ultimate business costs. Systems targeted by hackers, viruses, competitors or even unhappy employees can tell a lot about the importance and relevance of an ongoing threat. For example, a dramatic increase in latency might indicate a new worm infection, as might a surge in outbound traffic from your e-mail server. Tying security systems to availability and performance metrics can give you critical perspective to accelerate root-cause analysis and route the problem to the right group.

This capability is particularly important if your security infrastructure doesn't extend to internal firewalls and intrusion systems, since these attacks are almost invisible to security teams. Inside attacks pose significantly higher risks and costs than intrusion attempts launched externally.

Correlated network data gives broad perspective
It's important for enterprise security management to monitor hosts that are the intended victims of malicious activity. An effective way to put this into practice is to incorporate network management metrics into security information management and event correlation systems. Many of these will monitor router logs for ACL violations and server logs for other suspicious activity, but for a deeper, enterprise-wide view of the impact of security on network operations, a more comprehensive view is required.

Using a variety of techniques, some software can detect if and when a target system behaves in a way that indicates that a compromise has been successful, or if the system is struggling under the onslaught. You can forward host or monitor traps to these systems, and have them correlate this information with security sensor data. For example, if a server's performance degrades significantly after a security event, then it would appear that the target system is at best in some sort of trouble and at worst compromised and needing extensive remediation. Either way, by correlating the network performance data with security event information you now have the ability to determine the ultimate impact of a threat on your systems, services and business operations.

Co-opting and completing IT security
With many security teams currently focusing on compliance, thanks to Sarbanes-Oxley and updated HIPAA regulations, it can be too easy for senior management to declare victory with perimeter systems only as they rush to meet externally imposed deadlines. By providing network insight to security teams and learning how to take advantage of emerging security technologies, networking professionals can help to significantly improve their organization's security posture, reduce the flood of false positives that security teams need to assess, and help manage and control security response processes.

Integrating security alerts, processes and visualizations into the main network operations console enables IT to deliver a single, correlated, consolidated operations dashboard. Beyond offering significant time and cost savings and more complete risk reduction, an effective unified operations dashboard that links standard network management and security metrics delivers greater value than separate consoles. It makes it possible to better prioritize incident response activities based on downstream network effects, helping improve network availability and SLA compliance. In other words, using the network to help assist and assess security incidents yields a better performing network.

By cooperating with IT security instead of competing with it, network operations teams can better deliver on their mission while helping reduce enterprise security risk. With security issues increasingly grabbing the headlines and attention in executive suites, the obligation to reduce risk is the most pressing IT issue -- and opportunity -- of the day. Seize it!

About the author:
Phil Hollows is the Vice President of Security Products at Open Service, a leading provider of enterprise security management. Open's Security Threat Manager offers an integrated view of security and network management applications that provide a layer of intelligence between devices and the people managing threats.
This was last published in May 2004

Dig Deeper on Network Administration

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.