Evaluating All Security Solutions in Full Context, and Focusing On Solutions with Low Operational Impact Are Key For Success
It’s a typical scenario in an enterprise. Sam from the security department walks into a meeting and tells everyone, “I’ve got this great new security solution that I am about to buy and need to deploy. It will keep the all the latest malware from infecting anything on our network.”
Meanwhile, the network administrator, Nancy, rolls her eyes. “Not again,” she says. “Last time I heard this, I had to hire more people to just monitor your security solution so it didn’t bring our network down.”
The security manager fires back, “It took you almost a year to evaluate the last solution we brought in and then even longer to get it deployed. In the meantime, we were getting killed with all sorts of new cyber attacks.”
You are most likely familiar with this sort of network operations versus security department feud. But there is a way to avoid it and have the two camps work harmoniously. We’ll get to that in a bit, but first let’s delve a bit deeper into why there’s often so much animosity between the two.
The Network Hang-up
Although any new security solution that’s being purchased may address a company’s current security risks spot on, the question is at what cost? Does it slow the network down or have the potential to cause the network to crash, causing customers to go elsewhere or slowing productivity of employees? How about resulting in unaccounted costs for the network operations department, even though they weren’t the ones that purchased the security solution? There are a number of reasons why “typical” security solutions that must be integrated into a network’s data flow can cause such issues:
1. The security solution is actually a new performance choke point if it can’t keep up with data flow at all times. This typically results in slowing down a network or in a worst-case scenario, causing a network crash.
2. New hardware like a firewall or DPI system that has to be “in-path” introduces potential single-points-of-failure for the network. To compensate, the network architect will need to plan and build-out network redundancy and contingencies to route around failed hardware and maintain network resiliency.
3. While the security team in the security operations center or SOC will typically monitor alerts from a new solution, the folks on the network team in the network operations center or NOC will often have to monitor the health and performance of the new systems as part of their overall network performance job. That’s a permanent addition that requires significant man-hours at a significant cost.
4. Any time a network topology or plan is altered, the security solution has to be taken into account. For example, if a company adds a new department or has a new satellite office, the in-line networked security devices must be integrated into planning, deployment and operations. If it wants to implement a new cloud service, new connections and processes will be needed in order for the cloud-based communications to pass through the security solution as well. All of this change management takes more time and resources.
Security Solutions Affect the Network
There are a number of security solutions that may cure many security ills for a company, but as mentioned above, at what cost? Although advertised as plug and play, a number of “traditional” security solutions require extensive planning, oversight and monitoring to ensure they don’t adversely affect the network.
For example, deep packet inspectors, next-generation firewalls and security solutions “in the cloud” usually require routing of network traffic through those resources. This requires ongoing maintenance to ensure they don’t adversely affect a network.
This doesn’t mean these solutions aren’t worth it—you’d be foolish to just remove firewalls, IDS systems, anti-spam appliances or other necessary security tools in the name of network performance. However, the costs, both up-front, and ongoing, of layering on another security appliance, especially in-line with data flows, are far greater than the price tag from the security vendor and need to be fully considered.
Security Solutions That Bypass (Most) Network Maintenance
There are many security solutions that can be added to any enterprise’s toolkit without many of these “hidden” impacts on the network operations team. To ensure a company’s network managers don’t have to add resources to bring a security solution on board, the first place to look is to solutions and services that don’t touch a company’s network or don’t need to be physically placed in-path with primary data flow.
1. Log file analysis - A plethora of security incidents can be captured and identified by analyzing log files of activities taking place on servers, routers, and existing security solutions. Modern security information and event management or SIEM solutions as well as many point solutions handle these functions quite well. The only impact from these on network operations is a potential drag on device performance if logging isn’t already enabled.
2. DNS firewall - A DNS firewall is a secure DNS resolver that employs a comprehensive and up-to-date list of known malicious Internet locations based on domain or host names to prevent employee and system connections to malware, advance persistent threats (APTs), and other nefarious content online. No infrastructure changes are required, since typical implementations simply empower existing infrastructure (your DNS resolution servers) with security data brought in from external sources. If that data flow somehow breaks down, the resolvers continue to work as they would if they weren’t being fed the security information in the first place.
3. Data feeds tailored to existing solutions - Let’s say you want to get a list of all the malicious URL’s loaded with malware tracked by a vendor integrated into your enterprise protection scheme. These can be pumped into existing solutions like anti-spam devices, firewalls, or IDS systems simply by getting them in the correct format and providing regular updates. Done properly, there is very little performance hit to adding in these third-party data feeds.
4. Passive monitoring - There are numerous types of solutions that can be added to key network locations via port spanning on switches, routers or other supporting infrastructures. These can monitor such things as netflow, DNS resolutions (passive DNS replication), or even perform “off wire” deep packet inspection or DPI. While such devices won’t block nefarious traffic, they will at least inform you of issues when they occur, or help track down prior activity if you’re investigating a potential breach or other event.
Although there is an abundance of security solutions that promise to turn your company into an impenetrable fortress, security posture and the direct costs of those solutions aren’t the only thought to consider. Many new security solutions are likely to have an impact on network operations, performance and support costs, and could actually sabotage your network if you don’t take the appropriate precautions when implementing and maintaining them. Evaluating all security solutions in full context, and focusing on solutions with low operational impacts are imperatives for success in today’s network security world.
A security versus network debate is playing out in a conference room near you. By wearing both the security and network operations’ hats when evaluating new solutions, this classic enterprise struggle could turn into corporate harmony. Saving money and lowering corporate strife really is possible after all.