Dan Ramaswami, Vice President of Field Engineering, Netography
The atomized network is defined by its dispersed, ephemeral, encrypted, and distributed nature. For example, consider an employee that is working from home, on a personal laptop, accessing enterprise resources in the cloud – they have completely bypassed the traditional network perimeter model, where all traffic is funneled through a central location; and by doing so, the atomized network introduces new security challenges.
Now consider the “IP address to IP address” model of network visibility. Relying on just an IP address makes it more difficult to ascertain which specific user or device is connecting to which specific application or service. Likewise, the frequency with which network services are encrypted makes it difficult to gain any visibility into the context of the traffic. Organizations need a new approach to visibility of network activity. This view needs to be contextual so analysts can see the five Ws behind the IP. Let’s delve into this a bit more.
Uncovering the five Ws: Use the whole buffalo
Nose-to-tail eating is a culinary movement that encourages chefs to use every part of the animal when they cook. We can apply this same principle to network visibility. From network infrastructure to endpoint security to visibility in the cloud, there is a plethora of valuable metadata sitting in every organization, eager to be consumed and it comes in the form of flow data.
Flow data is metadata generated by on-prem devices and cloud services that provide insight very similar to what can be gleaned from firewall logs. When flow data is properly ingested, analyzed, and combined with organizational context it can provide a foundation for successful investigation into the five Ws: who, what, when, where, and why.
Looking beyond “IP to IP” enables organizations to see which person is connecting to which service. Without this context it might be impossible to say whether a middle-of-the-night connection is a hard-working executive preparing to close a deal, a clueless employee misusing company resources, or a foreign adversary attacking your organization.
Active Directory (AD) and identity and access management (IAM) solutions provide the context needed to answer the question “who?”. Metadata from AD and IAM solutions can help identify the user, their department, their management structure, and where they are located.
Endpoint detection and response (EDR) solutions and configuration management databases (CMDB) provide the context needed to answer the question “what?” EDR solutions provide detailed information about the endpoint, including who is logged in, the last time policies were updated, the current patch level and the basic input/output system (BIOS) information. CMDB specifies what patch levels should be. Comparing patch levels between CMDB and EDR helps to determine the potential impact of an event.
Metadata from network infrastructure repositories, such as Confluence, help provide the context needed to answer the question “where?” However, there is also a fair bit of organizational system knowledge that is required to help provide more context to this information. For example, an organization might reserve the first 15 IP addresses in a Class C IP address range for its routers. This sort of context can be valuable, but difficult to ascertain without having the organizational knowledge immediately on hand during an investigation.
There is no doubt that the information exists to apply organizational context. It exists in all of the tools we discussed above, CMDB, EDR, Confluence, etc. Swiveling between these tools is effective in that all sources of truth can be queried, but this can be a daunting and arduous task. In fact, it is quite time consuming to try to respond to incidents and alerts by manually switching between all of these disparate tools and solutions. That is why network visibility solutions are still a fundamental piece of the pie–they just need to evolve to consume flow data from both traditional on-prem and cloud services as well as dressing the metadata with the context available from all of these various sources.
By looking beyond the IP address, organizations can begin to gain more granular insights and enforce more granular controls, such as blocking certain departments from accessing certain services or requiring multi-factor authentication for certain devices and connections. In doing so, organizations gain a much more comprehensive view of their network architecture and much more control over how it operates.
