Networks are getting faster, IT is migrating to the cloud, applications are sharing the web and people are bringing their own devices to work. These factors, coupled with the fact that the bad guys are playing a smarter game than they’ve ever played before, combine together to have a profound impact on the way that organizations must start behaving. If you are responsible for protecting a mission-critical network, here are eight things that you need to think about:
1. Record network traffic for the purposes of forensics
You will never make sense of a security breach without a complete record of every last packet after the fact. Event and log management can indicate some type of breach occurred, but without having all the data to reconstruct the precise activity of the session, your company will not be able to determine if the attackers merely got onto a system, versus having gotten away with sensitive data.
2. Use recorded traffic for retrospective threat detection
The fact that your IDS or IPS didn’t alert you on an attack at the first pass doesn't mean that there wasn’t one there. It simply means that your rules engine didn’t know about it. If you record traffic, you can re-run it through your network security systems the next day or the day after with updated rule sets. With network recording you reduce the risk of being caught out by a zero-day attack.
3. Get visibility into the application layer
You can’t truly know where you are vulnerable until you have complete visibility into exactly what’s traversing the network in real time. Different applications have different risk profiles, and you need to know which applications are present on your network and who is using what. With more and more applications sharing a common port, the ability to distinguish between applications at layer 7 is critical.
4. Don’t oversubscribe your systems
When resources are constrained and space is limited, there’s a natural tendency to push more traffic through systems than they can actually handle. What a security system---such as an IDS or IPS---says it can handle and what it can actually handle are frequently two different things. It’s essential that you understand what throughput your systems can handle before they start missing important events and exposing you to unnecessary levels of risk.
5. Take into account the demands of tomorrow, today
As you make strategic decisions about which systems that you’re going to use to protect your organization, make sure you think about the way your network is changing. For many large organizations, 40Gbps networking will become a reality inside the next system refresh cycle (3-4 years). When your core infrastructure upgrades, will your tools be able to keep up? To avoid the need to retrain your teams and switch hardware vendors, work with vendors that can show you a 40 and 100Gbps roadmap today. ?
6. Use a common data source
Network security---and monitoring tools for that matter---all rely on captured packets to generate intelligence. One way to improve your security posture is to ensure that all your tools are sharing the same source of 100 percent accurate traffic, either by putting them all behind a single accurate source of packet capture OR by co-locating them on a common platform.
7. Think about your rules
Your network and your traffic are uniquely yours, and for that reason it’s critical that the rules you choose to run on your network security systems are relevant to you. By understanding your traffic profile and insisting on a network security platform that enables you to choose your rule supplier and write your own rules where necessary, you can dramatically improve your posture.
8. Take an Inventory of your business and security requirements
Compare your business and security requirements to what’s actually happening. For most companies there’s a significant delta between what the business side and security side want to capture and analyze on the network, versus what is actually being captured and analyzed. Ask yourself the following questions:
- Is the business getting information it needs to be secure?
- Which security solutions are leaking data or not getting the whole picture?
- What hardware and software are due for replacement?
- Are there consolidation opportunities?
By dedicating more attention to your network visibility efforts---combined with security practices---your organization will be in a better position to not only protect, but correct network anomalies.
Tim Nichols joined Endace in September 2009 and is currently vice president of Global Marketing. Tim has an extensive background in B2B and B2C technology marketing with the cellular industry. Before joining Endace Tim was responsible for leading the development of the marketing, brand and communications strategy at Two Degrees Mobile Ltd — New Zealand's third mobile carrier which successfully launched in August 2009. Tim is originally from the UK, where he worked at BT, and was instrumental in the planning and launch of 3UKnHutchison's 3G mobile arm.