rvlsoft - Fotolia
Obtaining the right level of IT security visibility can feel like a game of whack-a-mole or an attempt to plug a leaky dike.
The network security product space comprises an immense collection of tools, and network and security teams should expect to deploy multiple security tools and spend time building a security dashboard that automatically collects data from those tools to provide overall visibility.
This article discusses some tips network and security managers can use to improve network security visibility, including how to recognize potential threat vectors and ensure the right security tool set.
The first question network and security teams should ask when tackling network security visibility is: Do we have the necessary tools?
Teams can answer this question by using the Cyber Defense Matrix to identify holes and duplication in functional areas. Sounil Yu's presentation, "The Cyber Defense Matrix: A Scientific Model for Cybersecurity" is a great introduction to its use.
The matrix maps relevant security functions across its horizontal axis and shows the relevant infrastructure components down the vertical axis. Visibility is primarily about identifying and detecting attacks, so focus on the tools listed in the Identify and Detect columns.
Cyberattacks generally come in the form of vulnerability exploitation or through the use of social engineering to transmit malware inside an organization, such as phishing attacks. This results in two possible threat vectors: external and internal.
It is imperative that network and security teams address all vulnerabilities that can be externally exploited. A variety of companies provide security visibility services that identify well-known holes. These services provide continuous visibility into an organization's external security posture, while penetration testing is only good at a point in time.
One example of an external security review is SecurityScorecard, which produces a multifaceted report that provides visibility at a glance. (Disclaimer: NetCraftsmen uses SecurityScorecard in our security practice. Many companies have comparable products.)
Internal visibility can be a challenge in a large network. A trained team needs to deploy the tools at the right places within the network, configure them properly and maintain them. The right places for deployment are typically network aggregation points, such as the interconnections between offices (LAN), remote facilities (WAN) and data centers (high-speed LAN). Monitoring for peer-to-peer attacks once a penetration has occurred will require teams to monitor traffic between subnets within a facility or even between VMs in a data center.
Internal visibility includes identifying previously unknown network devices, which might be due to so-called shadow IT. Or it can identify the best locations to monitor, increasing the efficacy of existing tools. It's also imperative to provide visibility on OS patch levels and use the data to drive an automated patching system. If a system can't be patched, it should be severely restricted to only the required communications with other devices. This would reduce malware propagation and IoT compromises, as bad actors have historically used web cameras and similar IoT devices for distributed denial-of-service attacks.
Many tools are dedicated to internal IT security visibility and provide dashboards similar to those of external security tools. RedSeal, for example, assesses a company's network and provides a resilience score. (Disclaimer: NetCraftsmen uses RedSeal in our security practice, but many others are available.)
Supporting systems for security visibility
Because the IT security industry is broad, teams will undoubtedly need multiple tools to obtain thorough network security visibility.
Intrusion detection system (IDS) and intrusion prevention system (IPS). IDS/IPS devices play key roles in providing additional visibility. Automation of these systems, in conjunction with other visibility tools, can reduce the workload of managing these systems.
Flow data. Teams need information about network data flows between devices to understand malware propagation paths and design internal firewall rule sets that don't hinder necessary business traffic.
Products like Arbor Insight, Kentik, Plixer and Tetration provide analysis of flow data -- such as NetFlow, IPFIX (IP Flow Information Export) or sFlow (sampled flow) -- from network devices to identify who is using the network and which protocols are in use. This makes it easy to identify devices that must communicate with one another, as well as compromised devices that attack other devices -- i.e., malware propagation. The desired traffic flows can inform whitelist firewall rule construction, and undesirable flows can identify infected devices.
Automation. The scale of network attacks and vulnerabilities is simply too large to handle manually. To be effective, enterprises should deploy and use automated systems. An automated system must be able to detect threats and automatically respond to them, while alerting the network and security managers to the threat and action.
Executive support. Don't overlook support that comes from an organization's executives. Executives need to take an interest in security and monitor its effectiveness. Does the team use data information? What security incidents have been detected or avoided? Are the right tools in place, properly deployed and effectively used by a trained team?
Network and security teams need to work together with the rest of IT to be most effective. Executives may need to create cultures of teamwork across IT. It has to be an us organization, not an us vs. them or a you don't have to know structure. More eyes watching all IT systems translates into a more smoothly functioning organization.