One thing network and security professionals can wholeheartedly agree on is that malicious attacks by bad actors are a constant threat. And defending against them isn’t simple. Attackers have access to a constantly expanding toolbox of innovative techniques—and at the same time, the growth of cloud-based services and remote work has expanded the footprint of what security and network operations teams must safeguard. Clearly, collaboration is a mission-critical imperative.
CIOs and CISOs are under increasing pressure to develop network security strategies that embrace common goals and collaborative processes.
One important first step is to consider adopting a common network security technology stack that helps security and network operations teams work collaboratively. According to a recent white paper by Enterprise Strategy Group (ESG), such a technology stack should include the following:
Stateless protection devices in front of stateful firewalls. CISOs should consider implementing stateless protection devices in front of stateful firewalls to help block threats such as command-and-control (C2) traffic, state-exhaustion distributed denial-of-service (DDoS) attacks and known bad DNS domains. Such devices require timely and accurate threat intelligence that continually updates blocking lists in real time in order to be effective. Using these types of devices can help protect stateful network infrastructure, filter out known cyberattack traffic, and enable IT operations teams to maintain peak network performance for business requirements.
IDS/IPS technologies that examine all east/west traffic. Security experts have come to rely on next-generation firewalls for security at network perimeters. These firewalls cover network ingress/egress, but they leave internal networks open to attacks. To close this gap, network security needs to look at all east/west traffic traffic in their legacy networks and hybrid-cloud environments by using intrusion detection systems/intrusion protection systems (IDS/IPS) technologies. In this way, security teams can quickly and easily identify and filter out known threats moving laterally inside their environments to thwart a more serious event such as a data breach or ransomware attack.
A common source for network and cloud visibility. Many network and security teams end up using a multitude of disparate tools to collect the same network data. Instead, what is needed is a common source of network truth. Teams should use line-rate packet acquisition, local storage of network metadata, and full packet capture to gain holistic network and cloud visibility. This is crucial for maintaining strong performance and detecting and responding to security incidents. The right tool will go beyond raw packet capture perform real-time packet analytics that create a robust set of locally stored, highly indexed metadata that can be quickly accessed and analyzed for more efficient incident detection, investigations, and mitigation.
Network traffic analysis capabilities. To ensure network performance and security, teams need to understand network traffic patterns as well as the disposition of every device connected to the network before an incident occurs. In other words, a “shift-left” approach to incident response. This can help them identify and remediate rogue devices, misconfigurations, and vulnerable systems, while maintaining application performance for business operations. Network traffic analysis capabilities deliver end-to-end visibility that allows teams to monitor normal network behavior to identify anomalies that might impact network security or performance.
Network detection and response systems. Modern-day bad actors increasingly deploy anti-detection and forensics techniques to avoid being detected by endpoint detection (EDR) solutions. However, these bad actors can’t hide on the network In addition to traffic analysis, teams need a way to analyze network data and threat intelligence in order to detect and investigate anomalous, suspicious, and malicious network activities that are hidden from other cybersecurity tools. Network detection and response systems can detect threats that EDR and log-based system miss, while providing access to a comprehensive source of metadata and network packets. This data is crucial for triage and investigations.
A network security-without-borders technology stack can absolutely improve threat prevention, detection, and response. At the same time, this smarter approach will enable Security Operations Center teams to extend the effectiveness of existing security-information and event-management systems as well as their security orchestration, automation, and response tools.
Download the white paper “Network Security Without Borders: A Common Technology Stack for Network Security and Operations.”