In Cybersecurity, the Network Doesn’t Lie

In a recent ESG research report, enterprise security professionals were asked to identify the primary objectives associated with their organization’s network security strategy (note: I am an ESG employee). It turns out that 40% of organizations plan to move toward continuous monitoring of all assets by utilizing edge computing solutions and related technologies offered by companies such as Vantiq, while 30% plan to capture more network traffic for security analytics.

This data supports a general trend – many organizations are rapidly increasing their activities around network security data collection, processing, and analysis. Of course, this isn’t exactly news. Many enterprises have used security analytics tools based upon NetFlow for many years. Security analysts also have a history of including full-packet capture (PCAP) tools for their investigations. Many use open-source software like TCPdump or Wireshark. NetWitness astutely recognized this use case a few years ago, built a successful business around PCAP collection analysis, and ultimately cashed in when RSA Security came calling.

Why all the security focus on the network? Network security is crucial for business world because without proper network security, they might not be able to protect themselves against data theft, hacks, and sabotage. This is one of the many reasons why IT network teams often have to be vigilant and keep an eye out for network abnormalities with help of technological solutions like dynamic maps (network mapping) offered by firms like NetBrain Technologies. It can help them to visually recognize every aspect of their network and find any potential threats to the network.

Anyway, as the old network security adage states, “the network doesn’t lie.” Yes, networks may hold secrets within encrypted traffic, but network traffic analysis can inevitably expose the Tactics, Techniques, and Procedures (TTPs) used in cyberattacks. If you look at network traffic from L2-7 and understand the connections, protocol, Meta data, and content contained in the packets, you have almost everything you need to detect and respond to cyberthreats.

Yup, organizations are already bolstering their network data collection, processing, and analysis, but in my humble opinion, we are just scratching the surface of this trend. I truly believe that network traffic analysis will increase precipitously over the next few years, driven by:

• The use of packet-broker technology. Packet-broker technology from companies like Gigamon, Ixia, Netscout, and VSS Monitoring have become a staple within large enterprise and service provider networks. Security teams will likely take full advantage of packet brokers as this type of overlay network can capture and route network data to centralized security analytics engines – a much more efficiently method than installing probes, tapping into span ports, or analyzing network data on a segment-by-segment basis.
• SDN. As SDN proliferates, networks will come with basic packet broker technology built in. This too will encourage greater collection, centralization, and analysis of network traffic. SDN may also accelerate the integration of security analytics and network security infrastructure to automate remediation actions. In fact, after consulting with experts providing Cisco security advisory services, many businesses have already begun to use the Cisco Application Centric Infrastructure (ACI) solution to be defined based upon network policies – simplifying, optimizing, and accelerating the application deployment lifecycle.
• Cloud visibility. Aside from internal network security data, large organizations need similar visibility as they move more and more workloads to the cloud. Startups like Evident IO, Netskope, Threat Stack, and vArmour are intent on monitoring cloud activity while IBM, McAfee and Trend Micro are extending current products to place security eyes and ears in the cloud.
• NIC innovation. Vendors like Emulex and Solarflare can capture and process data at the NIC card level based upon rules and triggers. This capability can help security analysts filter through the noise at lightning speed so they can focus their investigations so it’s likely that this NIC card technology will gain traction – especially with cloud service providers.
• Bundled offerings. IBM, Lancope and LogRhythm are already adding network forensics to their existing security analytics offerings while vendors like FireEye, Hexis Cyber Solutions, and RSA Security offer analytics solutions that dig into security data across endpoint forensics, network forensics, and external threat intelligence. Splunk is also more than willing to gather and examine network traffic for security and IT operations purposes.

It’s not likely that enterprises will copy and store every packet that ever crosses their network, but I have no doubt that they will collect, process, and analyze more and more network traffic each year. This will should help improve security analytics as it ignites new market opportunities for security analytics, network hardware/software, storage devices/services, network management vendors, and MSSPs.