Security administrators often say, “I wish someone could just show me what’s on my network.” This pain is at the heart of the problem with most security solutions today: they lack visibility into the network. This is why Agile Security Manifesto principle #5 is so important - "Security without awareness is not security. You cannot protect what you cannot see."
The need for visibility in network security centers around the cornerstone of network security: accuracy. Blocking valid traffic is more than just an inconvenience in networking; it can lead to lost revenue, decreased productivity and, in some very real occurrences, job loss. This is the reason that many networks deploy security in an alert-only capacity. But alerting to too many possible security breaches reduces security effectiveness as well. The amount of event data presented to administrators for review can quickly overwhelm reviewers, who will eventually choose to ignore at least large portions of event data in favor of less mind-numbing and menial tasks.
A newer challenge to security solutions is the frequency of change occurring among network assets. Fueled by consumerization of technologies, application euphoria, virtual creep, and the dissection of security teams from other network teams, new devices appear and disappear from today’s networks without notification to security administrators. New devices bring new operating systems and applications, which in turn, bring new vulnerabilities to the network.
Security solutions today need visibility into not only network traffic, but the assets that make up the network. This can occur in a number of ways, but those methods must be automated due to the frequency of change discussed above. Attempting to manually keep inventory of devices, operating systems, applications and vulnerabilities will fail quickly in a network of any material size. Automated vulnerability scanners, asset tracking tools, or passive traffic monitoring to determine the network’s assets allows technology to do what technology does best: automating menial tasks.
Gathering information is the first step in any well-designed decision-making process. Only when we have ongoing visibility into the network’s devices, operating systems, applications, files and vulnerabilities, can we make informed decisions regarding whether traffic and files are valid or malicious. This visibility can also be used to reduce unnecessary alerting by correlating attacks to assets. For example, detecting attacks against resources that do not exist or are not vulnerable to that specific attack is irrelevant; and can easily be eliminated from alert logs. Taken a step further, a thorough inventory of network assets can allow for automation of security policy. Here, a completely customized policy evolves as devices enter and exit the network.
The benefits of security with automated visibility are clear: reduced administrative workload, improved accuracy, a reduction in alert logs, more accurate reporting for internal decisions and for compliance. The drawbacks of security without visibility are real and will keep security solutions at least one step behind the well-organized and well-educated hacking groups threatening networks today.
0 comments:
Post a Comment