How to Improve Situational Awareness for Enterprise Security

EA: Reggie, do most IT or security teams have a good understanding of the things connected to and running on their network?

RB: I am alarmed by how little authoritative understanding many IT network and security teams have about the current state of their networks. This is true of large, physical, static networks, where one can still point to much actual infrastructure sitting in data centers or closets. In those environments, it is customary for 20% or more of assets identified in a competent scan to be unknown to the IT team. And that visibility challenge is exacerbated in modern networking environments by the dynamic change involving mobile endpoints, virtualized compute, virtual network functions, private and public cloud, and the emergence of software defined everything. Those scenarios are even more opaque as infrastructure and assets can be transitory – here today, gone later today. The best scanning tools will miss that activity. Some academic research indicates as much as 40-50% of endpoints are being missed by periodic vulnerability scanning with the proliferation of mobile. Something real time is needed from a visibility perspective.

EA: Does a lack of visibility into an enterprise network create problems for handling live incidents?

RB: Absolutely. Lacking enterprise network visibility is like trying to prosecute a ground war without a precise understanding of the terrain. If you don’t know what the infrastructure is, where the edge is, what endpoints you have, how they’re connected, and what routes are present, then there’s no way to quickly and efficiently handle incidents that may lead to a breach. Mostly, you won’t even know the incident happened. Visibility, monitored and provided in real time, needs to be the foundation upon which a modern security program is developed.

EA: Lots of CISO teams talk about situation awareness today. Do you see network discovery, scanning, and inventory as critical tasks to support this objective?

RB: Yes, these activities are table stakes. Fully indexing what you have via a combination of passive monitoring plus active interrogation, such as putting probe packets on the wire to hunt actual pathways, are the best methods of achieving situational awareness.

EA: With the shift in most enterprise networks to cloud-based virtual operations, how does this affect the task of performing network discovery and situational awareness?

RB: The biggest challenge we’ve seen with cloud and virtual operations is the need for real time support. Often these instances may be silos with dispersed administrative rights and access. Network and security teams have limited control over what may be happening in these shadow IT instances. We once had a technologically savvy customer who was doing DevOps in the cloud. They used a VPN from their enterprise network into a virtual private cloud (VPC) instance provided by a public infrastructure as a Service (IaaS) cloud provider – a common configuration and scenario in the enterprise. At one point, the security team identified a new virtual machine being spun up in the IaaS VPC, which by itself isn’t a bad thing, as developers are working with instances up there. However, when actively probed, shortly after it came online, that virtual machine was acting like a packet forwarder, decrementing TTL like an IP routing element. Following on with an automated leak path analysis, it was found that the VM was forwarding traffic outside the VPC instance to the Internet. The edge of the enterprise network had been changed dynamically. But this was only visible for the times when that VM snapshot was run. Without real time, the evidence of that activity would have been difficult to reconstruct. And an expert would have had to search forensically, after the fact, through logs from various systems.

EA: Do you see a shift in inventory management and discovery from a hardware asset focus to a more software-oriented focus?

RB: While hardware inventory and discovery isn’t going away, there is an inclination towards more assets being virtualized. Those include virtual server instances, endpoints, or hosts, running various operating systems and applications. Increasingly, virtualized and software defined network functions, like routers, firewalls, switches, load-balancers, and proxies, are being utilized within enterprises and services provider environments. Inventory management and discovery needs to keep up by being real time sensitive.

EA: How important are visualizations in demonstrating network inventory, asset management, and situational awareness?

RB: Our customers are keen on the rendering of indexed information and anomalies in a visual way. Especially with large and complex networks, it takes too long to identify problems by sifting through tables with hundreds or thousands of line items. We spend a lot of time on maps, charts, graphs and other rendered visualizations that involve beaconing, color changes of nodes or edges, and graphical illustration of outliers to highlight where an anomaly may exist. The objective is faster time to detection, repair and remediation. Visual representation of that information is vital.