Early 20th century legendary baseball pitcher Walter Johnson once said, “You can’t hit what you can’t see.” It’s the same thing in IT security: You can’t stop what you can’t see.
Which is why visibility is so essential to network security. Unfortunately a lot of traffic is opaque to network and security teams, giving fits to the CISO. It isn’t a problem if good security is followed, but in a blog this week Johnnie Konstantas, who heads Gigamon’s security solutions marketing and business development, asks a few pertinent questions to see if infosec pros need to improve visibility.
The obvious question is whether the network is monitored 24/7 and analyzed daily for anomalous traffic patterns. But she says it’s also important to ask if the use of virtual machines limited to non-critical workloads, is vMotion turned off, if users restricted from connecting to the network with self-sourced devices, (and if yes are they restricted to guest network segments regardless of security profile), if the use of social media to send attachments and files is restricted and if all SSL traffic is decrypted and inspect it for the presence of malware.
My guess is few CISOs except financial institutions and certain government departments can say yes to all of them. Leaving aside the fact that Gigamon sells visibility and analytics solutions, no one doubts that being able to see more deeply into network traffic is a great way to improve security. Konstantas offers these six tips for improving it:
1. TAP all critical links. Don’t rely on SPAN ports because of sampling and missed packets
2. Connect all TAPs to a visibility fabric. This will aggregate traffic and metadata
3. Connect inline tools to inline fabric ports. Adding fault tolerance for IPSes and firewalls prevents the fail closed problem.
4. Connect all out of band security tools. Now all analytics and detection tools will see every network packet and its metadata without contending with its peers.
5. Use traffic manipulation and grooming. Steering the right traffic to security tools can alleviate the computational burden associated with unwanted traffic inspection
6. Add non-security tools to the visibility fabric. Performance management tools can also have the benefit of complete network traffic views for faster troubleshooting.
Visibility is one of the best ways to increase the odds of finding malware that’s on a network now, and lower the odds of new attacks being successful.