Can Network and Security Operations be Friends?

This blog post is the third in a series that examines the results of a recent network security infrastructure survey conducted by SANS Institute^[1]. It highlights key takeaways for network and security operations professionals to consider. 

Despite advances in cybersecurity and application performance management, today’s enterprises continue to be challenged with achieving full visibility into the network interdependencies, preventing effective performance triage and threat mitigation. For example, in the latest SANS survey, Network Security Infrastructure and Best Practices (2017), only 31% of respondents had achieved a completely centralized security architecture to manage and secure their networks. This means that security analysis must often be performed remotely, potentially resulting in an impact on network and application performance. Network downtime or reduced performance of business applications is not that the network ops want to hear about!

The throughput of security tools, which are engaged in processing-intensive tasks, often lag behind the network infrastructure. The bulk of security systems—more than 50%, according to the same SANS report—operate at 1G to 10G, lagging behind the speeds of core networks in the data centers that are transitioning to 10G, 40G and even 100G. Rip-and-replace is not an option for these often-costly systems, while security tools operating at 40G / 100G speeds may not be available at all. Thus, any upgrades in the data center must take into account the impact on the security ops.

Compounding the issues, separation of duties creates silos of visibility. Security ops may not see all the traffic that would help them identify and combat threats, while network ops are understandably concerned about the rollouts of new security systems creating performance impact. Can shared visibility bring the two teams together?

SANS recommends that security and network operations teams coordinate with each other to make sure that the security and performance monitoring priorities align. Questions that you might want to consider jointly include:

• Is bandwidth adequate at times of highest demand?
• Do security systems contribute to creating choke points?
• Do you have silos of visibility into network traffic?
• Can you detect malicious behaviors at all times?
• Do you have plans to logically separate your production network from your monitoring infrastructure?

Organizations need to take a more resource-efficient, performance-friendly approach to network and security monitoring that complement the more traditional methods and architectures in modern distributed environments. Improved cross-visibility can streamline operations for both NOCs and SOCs, helping you drive operational efficiency and achieve shared goals of performance and security. Download the full SANS report to learn more.