Security & management: net effect

There is no shortage of network data to secure and manage networks. But, as James Barrett of Endace demonstrates, accessing useful network data at the right time has traditionally been a challenge

The fundamental prerequisite for successfully protecting networks and applications against cyber-attacks and performance problems is sufficient visibility of all network activity. However, despite deploying numerous security and performance monitoring tools and collecting data from multiple sources, organisations seem to lack this network visibility, and consequently, the agility to respond to network security threats and performance problems in near real-time.

Some recent research we carried out found that 90 per cent of the large enterprises surveyed reported 'insufficient visibility into network activity to be certain about what is happening' and 88 per cent were concerned about their ability to 'resolve security and performance problems quickly and accurately'.

Unsurprisingly, SecOps and NetOps are overwhelmed by the volume of collected data. Often the data exists in silos and lacks useful context, meaning that organisations don't have the definitive evidence they need to be certain about events. As a result, investigations are slow, resource-intensive and often inconclusive, as analysts struggle to assemble a clear picture of events, using multiple and disparate data sources.

To address this it's essential to ensure that the right data is being collected, and then to integrate it all into actionable information. Network metadata provides good visibility into real-time network activity while also providing insight into trends. Its compactness means that it's possible to store months or years of history, which is ideal for analysis

While metadata is incredibly useful it clearly doesn't contain the packet payload data that SecOps and NetOps need as definitive forensic evidence. Here, organisations will require full packet data.

Collecting both forms offers NetOps and SecOps the information they need to quickly investigate threats and performance problems, coupled where necessary with the ability to drill into definitive packet-level evidence to see exactly what happened, allowing them to refine their response.

As well as a lack of visibility, organisations reported other issues. 88 per cent struggle to 'deploy new capabilities at the rate the business or IT requires' and 80 per cent don't have 'enough of the right tools in the right places' with 73 per cent lacking flexibility, 'forced to keep obsolete tools, locked into specific vendors or can't choose best-of-breed solutions'.

Underlying these issues is the fact that deploying network security and performance monitoring solutions often requires deploying hardware-based appliances. These appliances are expensive, slow to deploy, costly to maintain and difficult to change out.

As a result, budgets are consumed by costly CAPEX investment, leaving SecOps and NetOps with insufficient budget to deploy enough network tools in enough places to avoid blind spots. And once solutions are deployed, they often remain in place well after becoming obsolete, as changing them out is too expensive and difficult.

Solving this means adopting a new approach to the way network security and performance solutions are delivered. Virtualising the enterprise data centre resulted in massive economies of scale, cost-savings, flexibility and agility for IT operations. A similar approach is required for the network.

As network security, network monitoring, and application monitoring vendors increasingly offer software versions of their solutions, virtualising network monitoring has rapidly become an achievable objective.

Deploying an underlying hardware architecture that can perform all the necessary common network functions allows security and performance analytics as well as SecOps and NetOps teams to share the same hardware infrastructure.

Virtualising network security and performance monitoring functionality offers the same benefits for NetOps and SecOps as data centre virtualisation delivered for IT teams. These include reduced cost, hugely improved flexibility and agility, combined with the ability to change functionality easily in the future as the network grows and the threat landscape evolves, thereby making network blind spots a thing of the past. NC