Thursday, October 25, 2018

Have Network, Need Network Security Monitoring

I have been associated with network security monitoring my entire cybersecurity career, so I am obviously biased towards network-centric security strategies and technologies. I also work for a network security monitoring company (Corelight), but I am not writing this post in any corporate capacity.

There is a tendency in many aspects of the security operations community to shy away from network-centric approaches. The rise of encryption and cloud platforms, the argument goes, makes methodologies like NSM less relevant. The natural response seems to be migration towards the endpoint, because it is still possible to deploy agents on general purpose computing devices in order to instrument and interdict on the endpoint itself.

It occurred to me this morning that this tendency ignores the fact that the trend in computing is toward closed computing devices. Mobile platforms, especially those running Apple's iOS, are not friendly to introducing third party code for the purpose of "security." In fact, one could argue that iOS is one of, if not the, most security platform, thanks to this architectural decision. (Timely and regular updates, a policed applications store, and other choices are undoubtedly part of the security success of iOS, to be sure.)

How is the endpoint-centric security strategy going to work when security teams are no longer able to install third party endpoint agents? The answer is -- it will not. What will security teams be left with?

The answer is probably application logging, i.e., usage and activity reports from the software with which users interact. Most of this will likely be hosted in the cloud. Therefore, security teams responsible for protecting work-anywhere-but-remote-intensive users, accessing cloud-hosted assets, will have really only cloud-provided data to analyze and escalate.

It's possible that the endpoint providers themselves might assume a greater security role. In other words, Apple and other manufacturers provide security information directly to users. This could be like Chase asking if I really made a purchase. This model tends to break down when one is using a potentially compromised asset to ask the user if that asset is compromised.

In any case, this vision of the future ignores the fact that someone will still be providing network services. My contention is that if you are responsible for a network, you are responsible for monitoring it.

It is negligent to provide network services but ignore abuse of that service.

If you disagree and cite the "common carrier" exception, I would agree to a certain extent. However, one cannot easily fall back on that defense in an age where Facebook, Twitter, and other platforms are being told to police their infrastructure or face ever more government regulation.

At the end of the day, using modern Internet services means, by definition, using someone's network. Whoever is providing that network will need to instrument it, if only to avoid the liability associated with misuse. Therefore, anyone operating a network would do well to continue to deploy and operate network security monitoring capabilities.

We may be in a golden age of endpoint visibility, but closure of those platforms will end the endpoint's viability as a source of security logging. So long as there are networks, we will need network security monitoring.

2 comments:

Povl H. Pedersen said...

Monitoring the network is something that is rarely done. It is a tedious task, and even with tools it takes skills not available to react.

But, network segmentaion, or port filtering is very important, especially on the inside corporate network, as most attacks comes from legal clients.

This can be done on network boxes, but you can also run IP filtering on the servers themself. Or do it in both places if possible.

As for clients, PVLAN is becoming a must. Prevent clients from attacking each other. And prevent most servers from initiating traffic towards the client networks. Only a few management servers has the need.

But few companies thinks sensible. It is pretty old tech, yet nobody knows about it. The simple stuff can be way more effective than many boxes. I guess that is why it is not sold by the resellers/Consultants. Likely less margin.

sashank said...

from Cloud perspective, why do u think NSM is not needed if things move to Cloud ? Don't we need NSM in the Cloud ?

from Endpoint perspective , agreed that BYOD devices may have challenges , but that traffic in an enterprise will be low than regular computing devices

from encrypted traffic perspective , NSM is more important than traditional IDS/IPS , there is lots of progress on encrypted traffic analytics to detect malicious patterns.

NSM is essential and will exist so long as networks exist !