Lessons from the Pandemic: A New Urgency for NetOps-SecOps Alignment

Lessons from the Pandemic: A New Urgency for NetOps-SecOps Alignment

As the COVID-19 pandemic pushed enterprise networks to evolve rapidly to serve increased user populations with increased services, network security threats evolved in response. Multiple and diverse network endpoints invite multiple bad actors to invade your network, which is why network operations (NetOps) and network security operations (SecOps) teams need a way to work together more quickly and effectively than ever before.

During a recent NETSCOUT OnGuard webinar, a panel of industry experts discussed this rapid digital transformation of enterprise networks and how NetOps and SecOps can join forces for faster, more decisive network issue assessment.

When discussing the expanded services and demands on enterprise networks, Hardik Modi, associate vice president for NETSCOUT’s threat, intelligence, and mitigation products, noted that “from a security standpoint, maintaining the availability, integrity, and confidentiality (CIA) of all services became that much harder to ensure.” And enterprise organizations will always need to be focused on all three aspects of the CIA cybersecurity triad.

Total Network Visibility: A Common Need Can Be Commonly Sourced

Total network visibility is important to NetOps for service assurance and to SecOps for cybersecurity, and these teams can collaborate more powerfully by using a common source of network-derived data—something that Mark Doering, director of technical marketing for NETSCOUT, referred to as a “single source of truth.” Doering went on to say that if these teams “…don’t have the same formulated data pattern, collection capabilities, or depth of visibility, or the same point of visibility in their network, then they’re going to derive different answers to the same questions.” Using the same smart data source allows for more efficient troubleshooting from both sides of the organization and eliminates that sort of crossfire and duplication of effort.

Endpoint Detection Versus Whole-Network Detection

Tom Bienkowski, director of product marketing for NETSCOUT, noted that security teams have additional methods for deriving visibility for cybersecurity purposes, including endpoint detection and response (EDR) solutions. Although EDR (and firewall, and edge defense) tools are all important parts of any network defense strategy, they should not be the only defense. As Modi commented, “Knowing that you have complete coverage with your EDR solution in itself is a challenge.”

Today, malware is increasingly targeting the BIOS, where it is difficult to detect, and it’s being found on other network devices, including Internet of Things (IoT) devices, where it is increasingly difficult to deploy EDR solutions. But as Doering noted, “Network-derived data is hard to manipulate and hard to obfuscate. The network usually gives you that better point of truth.” So, having network-derived data is key for enterprise network security.

You’ve Got Total Network Visibility. Now What?

Every enterprise can benefit from the streamlined workflows and decreased mean time to recovery (MTTR) that results when NetOps and SecOps teams share the same source of network-derived data. Businesses can also go on the offensive when it comes to threats—they can go threat hunting.

“Being able to retrieve information from a security and event management/security orchestration, automation, and response (SIEM/SOAR) solution is different than saying, ‘I have an endpoint reporting, or I have a network reporting,’” Doering said. “You’re going after a data set, or event, or set of events.” It could be a list of events, he added, because many are tying the newer EDRs to things such as MITRE D3FEND and are able to drill into the exposed event. “And whether it be the applications or the security infrastructure, a smart data solution brings that all together naturally for NetOps and SecOps—from packets, to security events, to application-level awareness.” Regardless the security layer, be it layer 3 up to layer 7, Doering emphasized, you’re going to need that visibility across the entire network infrastructure.