What is Your Security’s Org Chart?

This blog post is the fourth in a series that examines the results of a recent network security infrastructure survey conducted by SANS Institute^[1]. It highlights key takeaways for network and security operations professionals to consider. 

When viewed as a network schematic, most architectures appear relatively straightforward. But don’t be deceived by this simplicity. Scale, availability and security are at a constant tug of war.  It’s getting more difficult to separate business processes from network infrastructure; the network is both the driving force and the manifestation of the digital transformation.

Traditional, perimeter-oriented defenses are insufficient in distributed, virtualized and cloud-based environments. Threats may come from within your organization, or “incubate” until an opportune moment. Incorporating public cloud technologies means that you are no longer fully in control of the underlying physical infrastructure. Your org chart must adapt in line with these trends, including which network security monitoring functions can and should be centralized, and which ones should remain distributed.

Many organizations are following the hybrid approach. In the latest SANS survey, Network Security Infrastructure and Best Practices (2017), a majority of respondents (64%) described the architecture of their security infrastructure as a combination of centrally managed and locally managed systems. A smaller number (31%) considered their architecture to be totally centralized. Only 5% believed their organization has a totally distributed management structure. This means that security analysis must often be performed remotely, potentially resulting in an impact on network and application performance. 

Shared network visibility can drastically improve both security and application performance areas. By working closely with their network operations counterparts, security teams can tap into the full power of packet data that’s already being used by service assurance platforms. You cannot secure what you cannot see, and here the network ops often hold the keys. These teams make sure that business applications are up and running at all times; they employ sophisticated tools, often involving packet and flow analysis to investigate and triage performance problems. On the other hand, network ops can benefit by knowing security team’s plans in advance. By teaming up and pooling resources, you both can benefit from this wealth of information.

Respondents in the 2017 SANS SOC Report indicated that their SOC operations are sufficiently flexible and adaptable. However, the biggest weakness is the lack of visibility; security teams are unable to detect threats whose signatures are unknown. Many threats have to be investigated manually, sapping resources and creating skill shortages. Lack of automation also means that “alert fatigue” is frequent and may lead to security features simply being turned off.

Identifying common goals can help your organization to allocate your resources optimally. Consider the following questions:

• When is the right time bring network and security operations together for a new security rollout?
• What role a network visibility architect might play in your organization?
• How can improved network packet visibility impact your NOC and SOC?
• Will shared visibility improve automation and response times?

The distributed network architectures are here to stay. To deal with these environments, a highly efficient SOC is vital. To achieve efficiency, however, it must see everywhere into the network – whether distributed, remote or centralized. So make friends with your NOC counterparts and see deeper than less foresighted organizations do. Download the full SANS Network Infrastructure report to learn more. If you are curious about how your SOC colleagues are doing, read the SANS SOC report.