As I discussed previously, corporate networks have become atomized, meaning they’re dispersed, ephemeral, encrypted, and diverse (DEED). These DEED environments and the conventional tools we rely on to defend them are creating gaps in network visibility and in our capabilities to secure them. Blind spots are rampant for three primary reasons.
Deep packet inspection (DPI) is losing effectiveness. Driven by privacy and security concerns, encryption of network traffic is becoming pervasive, blinding many of the network visibility and security tools we have traditionally used, such as next-generation firewalls (NGFW), intrusion prevention systems (IPS), and network detection and response (NDR) systems. Companies that go down the decryption path, especially companies in heavily regulated industries, soon discover that decryption at the level required to do ongoing detection is problematic because exposed traffic can potentially be seen or captured. Not to mention the additional overhead and performance tradeoffs.
DPI is also hard to scale. In DEED environments, trying to find entry points to deploy span ports is difficult. Even if you can figure out where to place them, there’s the expense and complexity of doing so at scale. Few companies are interested in deploying hardware anymore. It’s cumbersome, takes too much time, and is expensive, if not impossible, to deploy everywhere visibility is needed. However, even software-based approaches still require building, scaling, and managing virtual machines (VMs). They eliminate the cost and complexity of physical devices, but the uplift to add span ports and traffic mirroring in hundreds of locations is a daunting task. Inevitably, blind spots exist because parts of the network will always be out of scope or unable to be seen by DPI.
Cloud flow logs are disparate. Individual cloud service providers (CSPs) can provide good visibility mechanisms for their specific cloud environments. But according to the Flexera 2022 State of the Cloud Report (PDF), 89% of organizations report having a multi-cloud strategy, and different CSPs offer different capabilities and all have gaps. Additionally, few standards exist so the type of data, how that data is captured, and level of visibility each CSP offers varies. Understanding those differences, which differences matter, and if they are substantial requires specific expertise. Visibility is also compartmentalized, so seeing traffic moving to, from, between and even within clouds is a challenge. Finding a way to pull together disparate cloud flow logs and normalize the data so you can look at it with one set of eyes and not have to context switch between CSPs is a heavy lift.
Endpoints are everywhere and not all can support agents. Endpoint detection and response (EDR) is the new hot tool for a reason; it solves a lot of problems. However, customers and prospects tell us their percentage of EDR coverage on endpoints is in the range of 60-70%, not accounting for network gear like routers and switches. There are plenty of other devices that connect to their corporate network that also don’t support agents or are out of their control. Think about Point-of-Sale (POS) systems, HVAC systems, IoT devices, and smart TVs. Additionally, there are myriad devices they aren’t even aware of because of the bring-your-own-device (BYOD) environment and the work-from-anywhere-model which introduces additional rogue devices connecting through home and wifi networks. If you can’t account for the full mix of endpoints, you have gaps.
Evolving our approach to network visibility and security
To close the gaps DEED environments and conventional tools are creating, we need a different approach that enables us to visualize network traffic at a higher level, across the number and types of environments and devices in use today, without having to capture and decrypt packets. It turns out metadata and context are the keys.
Metadata in the form of flow data provides a passive and agentless approach to network traffic visibility across multi-cloud, on-premises, and hybrid environments, including every IP address, and every device. And because metadata provides information about network traffic without including sensitive or private data, you can collect and store it with fewer compliance or regulatory concerns.
Bringing all that streaming metadata into a single platform, normalizing it, and enriching it in real time with both open-source data and organizational-specific context data gives diverse teams one place to go and one common language to use to gain a complete picture of what’s happening. They can focus on what’s relevant to them without needing specialized knowledge to make sense of different flow data, or store and query platforms for additional look ups that can take hours to provide answers.
Evolving our approach to security to get to where we need to be starts with using data we already have and providing teams with one place to go for a unified view of all that data and one common language so they can focus on the problems they want to solve. It’s a less is more approach that closes gaps for real-time detection, real-time investigation, and real-time remediation and enables security teams to evolve to defend their atomized network.
