On the heels of the Equifax data breach, IT teams are bracing themselves for an onslaught of questions from the C-Suite: What preventative measures can we take to ensure a breach like this doesn’t happen to us? How can we be better prepared to isolate a cyber-attack in the event our network is compromised?
The answers are multi-faceted and demand more than a simple three-step plan to ensure security teams are adequately monitoring the network. A recent NetBrain survey found that network security is the number one initiative for organizations, as 64% say they plan to invest heavily in security over the next two years.
However, continued investments in bad practices will not solve the problem. If organizations are serious about bolstering their security, a new approach is required.
A rapidly changing threat landscape
The growing use of mobile devices and software-as-a-service (SaaS) applications make securing the network more challenging than ever. Faster network connections and more remote users are forcing security teams to consider where and how to provide protection. Further, traffic now flows in every possible direction due to the transition from monolithic (single application per server) to a tiered application approach with diverse traffic patterns.
Security professionals must manage many activities and issues that affect the network, one of which is the proliferation of IoT. The Internet of Things has broad implications for consumer devices but many devices in the enterprise also have an IP address, from document scanners to lab equipment and even coffeemakers. This makes identifying, tracking and securing those devices difficult as many of them use only port 80, insecure passwords or are hardcoded to use only the 192.168.0.0/24 address space.
Future network strategies must consist of securing multiple platforms as well as an expanding network perimeter. Even the transition to software-defined networking (SDN) presents unique challenges for networks as complexity is abstracted and troubleshooting through traditional tactics is rendered less effective. The landscape is changing, and black hats are still steps ahead of most organizations when it comes to security. It’s easy to sit here and point out all the problems and challenges that network teams face, but how do they address them?
Security teams can’t protect what they can’t see
The simple reality is that identifying threats and troubleshooting attacks is primarily about visibility. In most cases, the methods network and security teams use to collect and analyze data are manual and labor-intensive. The outputs of these traditional methods of network management often result in limited visibility or an overload of information that gives network engineers little actionable data.
To create network diagrams, an engineer needs to type show commands box-by-box to slowly build a list of devices, how they’re connected and how traffic flows. This takes a tremendous amount of time and is error-prone. Even reliable documentation only provides limited configuration data, such as hostnames and IP addresses.
Even more frustrating is that network diagrams are quickly obsolete if not updated frequently. Case in point: NetBrain’s research found that 61% of engineers say that up to half of their network documentation is out of date, with 44% of respondents indicating that it’s been more than one month since they last updated their network diagrams.
When IT teams lack visibility into the network, it’s nearly impossible to effectively mitigate potential threats. Visibility extends beyond just documentation, as the command-line interface (CLI), IDS/IPS monitoring tools and internal collaboration problems all create added visibility challenges for network teams. Organizations should be automating documentation and basic troubleshooting processes to gain instant visibility and have the tools at hand to mitigate threats as quickly as possible.
Automation is an answer
Most network teams are just beginning to implement workflow automation into their security processes. As a result, many of the same manual processes become a challenge in verifying network hardening policies and troubleshooting cyberattacks.
Currently, most organizations are manually checking against network hardening best practices and regulations to ensure that devices are configured to the correct standard, that traffic is not permitted in restricted areas and that hardware is frequently patched to close vulnerability gaps. For enterprise organizations it’s a tedious, and mostly ineffective, process to manage the hardening process and it can take days to understand the impact of a single vulnerability. As a result, many organizations fail to keep their networks access-hardened because enforcing mandatory standards becomes problematic.
This becomes equally challenging when it comes to reactive workflows, where the objective is to mitigate active threats. Often, organizations leverage IDS, IPS or security information and event management (SIEM) tools to alert administrators when someone is trying to maliciously compromise the network. The steps that follow an IDS alert, however, are largely manual, requiring IT teams to trace the path from the breached endpoint, which can take hours. Then IT teams need to assess the performance impact of the attack, and check to see if the threat is ongoing.
Not until teams have enough information, to determine which ports the attack is originating from and what devices are affected, can they shut down a port or add an access-list to mitigate the attack. Often the attack compromises a computer, so being able to identify that one device among the hundreds, thousands, or even tens of thousands of devices on the network is extremely tedious.
These manual processes need to be eliminated, so that IT teams can instantly have the information they need to begin the mitigation and troubleshooting process. Every day that an organization relies on manual processes is another day that their network is at risk.
As the importance and reliance on technology grows and creates even higher degrees of complexity, these issues will only grow in difficulty. Organizations must be ready to close their vulnerabilities by enabling full visibility into the network and providing network tools which foster collaboration between network and security teams. Failure to do so could result in a costly data breach like those we’ve seen many times before.