More focus on real time analysis in coming years.
In a recent ESG – Enterprise Strategy Group IT market research reports, enterprise security professionals were asked to identify the primary objectives associated with their organization’s network security strategy. It turns out that 40% of organizations plan to move toward continuous monitoring of all assets on the network, while 30% plan to capture more network traffic for security analytics.
This data supports a general trend – many organizations are rapidly increasing their activities around network security data collection, processing, and analysis. Of course, this isn’t exactly news. Many enterprises have used security analytics tools based upon NetFlow for many years. Security analysts also have a history of including full-packet capture (PCAP) tools for their investigations. Many use open source software like TCPdump or Wireshark. NetWitness astutely recognized this use case a few years ago, built a successful business around PCAP collection analysis, and ultimately cashed in when RSA Security came calling.
Why all the security focus on monitoring and real time surveillance? As the old network security adage states, “the network doesn’t lie.” Yes, networks may hold secrets within encrypted traffic, but network traffic analysis can inevitably expose the Tactics, Techniques, and Procedures (TTPs) used in cyberattacks. If you look at network traffic from L2-7 and understand the connections, protocol, Meta data, and content contained in the packets, you have almost everything you need to detect and respond to cyberthreats.
Organizations will focus more and more in coming years on real time data collection, processing, and analysis. This is driven by:
- The capacity to analyse in realtime. It will be possible to analyse behaviour realtime. Tools like Splunk and Mandiant will add an extra layer of protection and the possibility tot analyse traffic and behaviour in realtime.
- The use of packet-broker technology. Packet-broker technology from companies like Gigamon, Ixia, Netscout, and VSS Monitoring have become a staple within large enterprise and service provider networks. Security teams will likely take full advantage of packet brokers as this type of overlay network can capture and route network data to centralized security analytics engines – a much more efficiently method than installing probes, tapping into span ports, or analyzing network data on a segment-by-segment basis.
- SDN. As SDN proliferates, networks will come with basic packet broker technology built in. This too will encourage greater collection, centralization, and analysis of network traffic. SDN may also accelerate the integration of security analytics and network security infrastructure to automate remediation actions.
- Cloud visibility. Aside from internal network security data, large organizations need similar visibility as they move more and more workloads to the cloud. Startups like Evident IO, Netskope, Threat Stack, and vArmour are intent on monitoring cloud activity while IBM, McAfee and Trend Micro are extending current products to place security eyes and ears in the cloud.
- NIC innovation. Vendors like Emulex and Solarflare can capture and process data at the NIC card level based upon rules and triggers. This capability can help security analysts filter through the noise at lightning speed so they can focus their investigations so it’s likely that this NIC card technology will gain traction – especially with cloud service providers.
- Bundled offerings. IBM, Lancope and LogRhythm are already adding network forensics to their existing security analytics offerings while vendors like FireEye, Hexis Cyber Solutions, and RSA Security offer analytics solutions that dig into security data across endpoint forensics, network forensics, and external threat intelligence. Splunk is also more than willing to gather and examine network traffic for security and IT operations purposes.