Enterprise Blind Spots and Obsolete Tools – Security Teams Must Evolve - SecurityWeek

2023-02-22 06:05:48 By : Mr. Edward Zhao

Hi, what are you looking for?

The conventional tools we rely on to defend corporate networks are creating gaps in network visibility and in our capabilities to secure them. Electrical Materials Sourcing

Enterprise Blind Spots and Obsolete Tools – Security Teams Must Evolve - SecurityWeek

As I discussed previously, corporate networks have become atomized, meaning they’re dispersed, ephemeral, encrypted, and diverse (DEED). These DEED environments and the conventional tools we rely on to defend them are creating gaps in network visibility and in our capabilities to secure them. Blind spots are rampant for three primary reasons.

Deep packet inspection (DPI) is losing effectiveness. Driven by privacy and security concerns, encryption of network traffic is becoming pervasive, blinding many of the network visibility and security tools we have traditionally used, such as next-generation firewalls (NGFW), intrusion prevention systems (IPS), and network detection and response (NDR) systems. Companies that go down the decryption path, especially companies in heavily regulated industries, soon discover that decryption at the level required to do ongoing detection is problematic because exposed traffic can potentially be seen or captured. Not to mention the additional overhead and performance tradeoffs.

DPI is also hard to scale. In DEED environments, trying to find entry points to deploy span ports is difficult. Even if you can figure out where to place them, there’s the expense and complexity of doing so at scale. Few companies are interested in deploying hardware anymore. It’s cumbersome, takes too much time, and is expensive, if not impossible, to deploy everywhere visibility is needed. However, even software-based approaches still require building, scaling, and managing virtual machines (VMs). They eliminate the cost and complexity of physical devices, but the uplift to add span ports and traffic mirroring in hundreds of locations is a daunting task. Inevitably, blind spots exist because parts of the network will always be out of scope or unable to be seen by DPI.

Cloud flow logs are disparate. Individual cloud service providers (CSPs) can provide good visibility mechanisms for their specific cloud environments. But according to the Flexera 2022 State of the Cloud Report (PDF), 89% of organizations report having a multi-cloud strategy, and different CSPs offer different capabilities and all have gaps. Additionally, few standards exist so the type of data, how that data is captured, and level of visibility each CSP offers varies. Understanding those differences, which differences matter, and if they are substantial requires specific expertise. Visibility is also compartmentalized, so seeing traffic moving to, from, between and even within clouds is a challenge. Finding a way to pull together disparate cloud flow logs and normalize the data so you can look at it with one set of eyes and not have to context switch between CSPs is a heavy lift.

Endpoints are everywhere and not all can support agents. Endpoint detection and response (EDR) is the new hot tool for a reason; it solves a lot of problems. However, customers and prospects tell us their percentage of EDR coverage on endpoints is in the range of 60-70%, not accounting for network gear like routers and switches. There are plenty of other devices that connect to their corporate network that also don’t support agents or are out of their control. Think about Point-of-Sale (POS) systems, HVAC systems, IoT devices, and smart TVs. Additionally, there are myriad devices they aren’t even aware of because of the bring-your-own-device (BYOD) environment and the work-from-anywhere-model which introduces additional rogue devices connecting through home and wifi networks. If you can’t account for the full mix of endpoints, you have gaps.

Evolving our approach to network visibility and security

To close the gaps DEED environments and conventional tools are creating, we need a different approach that enables us to visualize network traffic at a higher level, across the number and types of environments and devices in use today, without having to capture and decrypt packets. It turns out metadata and context are the keys.

Metadata in the form of flow data provides a passive and agentless approach to network traffic visibility across multi-cloud, on-premises, and hybrid environments, including every IP address, and every device. And because metadata provides information about network traffic without including sensitive or private data, you can collect and store it with fewer compliance or regulatory concerns.

Bringing all that streaming metadata into a single platform, normalizing it, and enriching it in real time with both open-source data and organizational-specific context data gives diverse teams one place to go and one common language to use to gain a complete picture of what’s happening. They can focus on what’s relevant to them without needing specialized knowledge to make sense of different flow data, or store and query platforms for additional look ups that can take hours to provide answers.

Evolving our approach to security to get to where we need to be starts with using data we already have and providing teams with one place to go for a unified view of all that data and one common language so they can focus on the problems they want to solve. It’s a less is more approach that closes gaps for real-time detection, real-time investigation, and real-time remediation and enables security teams to evolve to defend their atomized network.

Matt Wilson is the Vice President of Product Management at Netography. Over his 25+ year career, Matt has held senior technology leadership positions across numerous industries including Neustar, Verisign, and Prolexic Technologies. With a rich background in innovation and go-to-market strategies, Matt has been a critical leader in helping many companies conceptualize solutions from the customer lens and drive them to market with significant impact.

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to gain clear advice on the people, process and technology considerations that must be made at every stage of an OT security program’s lifecycle.

This presentation will provide an overview of the security risks associated with SaaS, best practices for mitigating these risks and protecting data, and discuss the importance of regularly reviewing and updating SaaS security practices to ensure ongoing protection of data.

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in a self-service manner are becoming increasingly popular. (Joshua Goldfarb)

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies. (Marc Solomon)

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base. (Derek Manky)

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge. (Matt Wilson)

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers. (Landon Winkelvoss)

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Got a confidential news tip? We want to hear from you.

Reach a large audience of enterprise cybersecurity professionals

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Enterprise Blind Spots and Obsolete Tools – Security Teams Must Evolve - SecurityWeek

Electric Devices Sourcing Copyright © 2023 Wired Business Media. All Rights Reserved.