By Cary Wright, VP Product Management, Endace
Recent research shows that enterprise teams are very concerned about the ability to protect their networks from cyber threats. Concerns run the gamut: insufficient insight into network activity, lack of integration between security tools, inability to respond to threats quickly enough, resource constraints, and obsolete solutions. Enterprises are frustrated with existing security solutions that don’t provide sufficient visibility, agility, and economic efficiency. This article is the first of a three-part series from Endace and looks at the issue of network visibility.
Without the right tools in place, detection and resolution of security events is cumbersome and often inconclusive. Lacking sufficient visibility into network activity, organizations are left vulnerable.
A recent enterprise survey conducted by Enterprise Management Associates reveals that only 31% of incursions were identified and stopped at the earliest two stages of the Lockheed Martin Kill Chain model. This indicates that most threats proceed to the dangerous exploitation phase. A key reason for being unable to stop a compromise early enough is the overflowing backlog of issues that are never investigated. 89% of enterprises surveyed by ViB say a lack of visibility into network activity prevents them from reacting promptly, with confidence.
At first glance, you might think the lack of network visibility is caused by a lack of data. But the issue often isn’t a lack of data, but an inability to correlate data collected in order to provide useful insights. It’s like trying to assemble a collection of scattered jigsaw puzzle pieces when you don’t have a picture of the final result. Enterprise teams are overwhelmed by the sheer volume of data to analyze from multiple, disparate sources: log files, SNMP traps, monitoring tools, etc. Often this data is scattered across the infrastructure, hard to correlate, and incomplete because of blind spots in-network coverage, which makes seeing the full context of security threats difficult or impossible.
When teams efficiently collate data sources to provide full context around detected issues, then data becomes “actionable information” used to investigate and resolve problems quickly and accurately. Network metadata and full-packet capture data together give teams the perfect combination of evidence for investigating and resolving security threats.
Network metadata delivers a summary of activity across your infrastructure that provides insight into the behavior of users, devices, applications, and threats. This summary can be easily stored and correlated with other data sources from endpoints, applications, AAA, firewall logs, and other key elements. Having diverse datasets in one place helps investigators triangulate on potential issues rapidly. Since all this is a summary of what happened, access to full packet data is often needed to confidently understand the breadth of a security event. Fortunately, metadata provides an index into full packet capture data that enables teams to quickly and accurately reconstruct events, in context, to see exactly what has occurred and respond at once.
This combination of network metadata with full packet history facilitates quick and confident investigations and threat resolutions. Analysts can query and mine the metadata, then quickly get definitive evidence by drilling down to the packets. The combination of network metadata and packet data also provides the all-important context for data from other sources – such as log files and alerts from monitoring – by providing a timeline and record of affected hosts against which these data sources can be correlated easily.
Access to the right data at the right time with the combination of metadata and full packet capture facilitates end-to-end visibility, and enables enterprises to detect, triage, investigate and respond to threats and incidents with speed, certainty, and confidence. It lets teams efficiently assemble the pieces of the data puzzle to create a clear picture of precisely what’s happening on their network.
The second article in this series will address how to increase agility and accelerate incident response.
About the Author
Cary Wright, VP Product Management at Endace, has more than 25 years’ experience in creating market-defining networking, cybersecurity, and application delivery products at companies including Agilent, HP, Ixia, and NEC. [email protected], www.endace.com.