In today’s guest post, Dave Detweiler, Sales Director at SEI IT Services, provides some great insights into how network visibility can add value to your entire IT platform. Please enjoy -- JE
Full visibility in cybersecurity is a key to gaining assurance that everything happening in and around a company's assets is known and capable of being found. Network visibility is a core element of full visibility. The degree to which one can control risk correlates to the degree of visibility they have constructed. The purpose of visibility is making the 3 Cs of security: context, correlation, and causation, possible. So what is full visibility within the “network” pillar, and how does it contribute to full visibility across the enterprise?
To start, establishing firewalls and monitoring its logs is just a part of doing business these days. The next most common approach entails adding a layer such as an intrusion detection system (IDS) — passive surveillance tool of network traffic. A step further would be an intrusion protection system (IPS), which can act upon what the IDS flags in its surveillance. The capabilities of an IDS and an IPS are correlated to the precision of the rules written for the environment — a function of intelligence collected both across the world and within the business's unique environment, along with well-versed, rule-writing cybersecurity professionals. The usefulness of both IDS and IPS tools is dependent upon the vigilance of the team monitoring and responding to either. What neither tool can do, however, is alert and act on traffic it cannot see.
Decrypting internet traffic is a must for full control of risk on the network pillar of security. An IDS or IPS can only act on what it is able to see. Different solutions allow gaps in visibility to be overcome without business performance impact. They work by decrypting, inspecting, re-encrypting, and allowing the traffic to continue onward.
File carving, signature monitoring, and behavioral analytics all complete a well-rounded collection of network activity. Once the network toolsets have uncovered everything that is happening and make it readable, security can apply controls and mechanisms to the information to provide better understanding.
Beyond stopping active threats on the network, the collection and inspection of all the information is valuable when an attack indicator flashes somewhere else. Essentially, the security team has all of the traffic information stored for investigation and forensics to then establish those 3 Cs: context, correlation and causation. Exhaustive network security will reinforce defense in depth by interfering with execution of various threats within the infrastructure.
But even the best tools on the market have blind spots. A breadth of coverage can help close security gaps in the network pillar, attain full visibility, and assist IT teams in getting a good night's sleep.
(1) Google Transparency Report. https://transparencyreport.google.com/https/overview?hl=en&time_os_region=chrome-usage:1;series:time;groupby:os&lu=time_os_region&load_os_region=chrome-usage:1;series:page-load;groupby:os