If you’ve ever had a security vendor pitch their wiz-bang internal network threat prevention solution, you’ve probably thought at some point “You’re getting ahead of yourself. First we need to know what’s going on, then we can talk about active controls on the internal network”. The problem is that gaining visibility is a lot easier said than done. Because the security team is usually in no position to gate application deployments, and inventory management systems are notoriously inaccurate, Security has to resort to active monitoring to gain visibility. Unfortunately that’s hard to do, and getting harder.
In the good ‘ol days, intranet visibility was more straightforward: You could concentrate on the Internet perimeter, and the data center access layer, because all of the interesting traffic was north/south (client to application). But now the situation is more complex, for several reasons:
- Application architectures have changed, resulting in far more east/west traffic within the data center
- Virtualization confines much traffic to virtual distributed switches, which is harder to access
- Public cloud offers fewer options for visibility, and significant costs can be incurred
And in general the environment is just more dynamic, with trends like BYOD and micro-services accelerating the rate of change. So maintaining an accurate picture of what’s going requires hour-by-hour insights, or worse.
So what to do?
Visibility boils down to two things: knowing about the threats, and knowing about the legitimate traffic. For the later, it’s critical to establish read-only links with the orchestration systems and APIs that are available to provide real-time updates on applications and authenticated clients. Fortunately those APIs are much better developed than just a few years ago. And for seeing “the bad stuff”, consider using deception solutions such as Acalvio ShadowPlex. These solutions focus on one thing: providing visibility into threats with a high level of fidelity. They are much easier to implement than traditional tap or SPAN port solutions because they are deployed as hosts on each network and don’t need to “see” all the traffic. That means no need for promiscuous-mode switch or virtual ports. This also eliminates concerns that the visibility solution might affect network performance.
Most importantly, they provide both visibility and detection in a single solution, including the ability to engage an adversary to understand his methods and motivations
Now we’re talking about real visibility!
This means much less work to get to the desired result: find and handle the threats in an operationally and financially viable manner.