Technology-focused organizations typically have a heavy reliance on IT environments. Whether it’s the use of expensive software, complicated hardware configurations or large business networks, it’s...
5/9/2019
Monitoring a network and staying on top of everything it does is a huge task. If significant activity stays hidden, hostile penetration and runaway processes can go unnoticed. Achieving 100% network visibility is a daunting task, but a well-run network stays close to that goal. It makes sure that nothing important is happening that isn’t being tracked.
Even moderate-sized networks have workstations, servers, network devices, and cloud connections. Mobile devices come and go. It takes a solid, ongoing effort to keep a high level of visibility. Blind spots in a network are security risks, and they make it hard to identify bottlenecks and wasted resources.
When a security incident occurs, thorough visibility helps to track it down and remove its causes. Gaps in visibility leave places where malware can remain undetected. It can re-establish itself even after it seems to be removed.
What is network visibility?
Let’s look at the concept of network visibility in more detail. Huge amounts of data pass through a network. Tracking every packet would be a hopeless task, even for the most advanced tools. What is necessary is to identify:
-
- The places where data is going
-
- Where the data is coming from
-
- The type and purpose of the data
-
- Its authorization or lack of any
-
- The quantity of data, at least in rough terms
Visibility depends on network monitoring, but also on analytical tools that turn a huge mass of information into a form that allows recognition of important trends and issues. They need to separate the unusual from the routine, extract important trends from large amounts of data, and present the results in a usable form.
A key issue is defining the network perimeter. It doesn’t include just workstations and whatever is in the server room. Cloud services with network access count. So do mobile devices that come and go. IoT devices may sit anywhere in the building or even outside it. A VPN may extend the network to employees’ homes. If a device or process has network access, its interactions need to be visible.
Visibility means different kinds of information for different people. Top executives want an overview that is heavy on business issues rather than technical ones. System administrators want a technical overview of the network, with attention focused on whatever may cause trouble. Security analysts need any information that will help them identify vulnerabilities and intrusions.
The benefits of network visibility
Good visibility makes managing a network easier in many ways.
-
- Threat management: A threat moves through a network to get past protections and establish itself. It typically starts with a piece of code planted on a workstation or Web server. From there it loads additional code and moves laterally to get at the valuable data. Visibility aids in tracking the malware lifecycle. It gives IDS, SIEM, and SOAR systems access to all the information they need to spot security issues.
-
- Bandwidth tracking: Inefficient data movement slows down a network. If a data path has become a bottleneck, upgrading a connection or reconfiguring the network could make everything run faster.
-
- Identifying unauthorized use: Not all unauthorized uses of a network are malicious, but they can compromise security and degrade performance. “Shadow IT” is a problem in many organizations. Installing software or devices without going through the IT department can help to get someone’s job done, but it creates security risks. Knowing about it makes it possible to judge its risk and take action if necessary.
-
- Troubleshooting: When something goes wrong, the cause isn’t always obvious. Visibility aids in finding connections that have become unreliable or processes that are unresponsive. It’s especially useful when the unplanned interaction of processes and services impacts performance in a big way.
-
- Downtime reduction: Full information on network problems not only allows quicker fixes, it lets administrators confirm that the problem really is gone. If network insights show that performance is still off, they should keep looking. There will be fewer cases of having to go back and re-investigate an issue.
Network visibility and security
Firewalls, vulnerability scanning, SIEM systems, and other forms of security protection work well only when they cover the whole network. Sometimes services run and ports are open because an installation process created them by default. No one reviewed their configuration, their passwords (if any) are publicly known defaults, and they could provide easy access to unauthorized parties.
SIEM works by analyzing logs from all parts of the network. Any log from a network-reachable service or application can provide important information about active threats. Complete network visibility makes it possible for SIEM to access all relevant logs and incorporate their information into security analytics.
Transient devices, such as smartphones, are a security risk when poorly managed. Their owners may have been careless, allowing malware and spyware on their devices. Network visibility lets administrators determine if their usage complies with policies and their usage shows signs of malicious activity.
Some security measures make visibility more of a challenge. End-to-end encryption is great for avoiding espionage and man-in-the-middle attacks, but it lets only the endpoint see the traffic. Websites routinely use SSL/TLS encryption, but it keeps security tools from inspecting packets and detecting threats. Smart firewalls and network packet brokers with access to the decryption certificates can inspect network traffic and provide reports. Of course, any components with the ability to decrypt traffic need to be carefully protected.
If security requirements preclude decryption except at the endpoint, other techniques are available. It’s still possible to track the IP addresses and ports being used, watch for unusual quantities of traffic, and catch expired, misconfigured, and self-signed certificates. Monitoring systems should watch internal traffic for machines that don’t normally talk to each other; whether the traffic is readable or not, it suggests something has gone wrong.
Every point of access to the Internet needs to be secured, and internal traffic needs to be checked for anomalies. Doing this requires knowing all the points in a business’s network. A network with visibility gaps is constantly at risk.
Cloud issues
A network’s perimeter doesn’t stop with the machines that a business physically controls. Cloud services are part of the network if they have access to it. Most businesses today use them to some extent, and their usage has greatly increased in 2020 as more people have been forced to work at home. Responsibility for them is shared between the cloud provider and the customer, and both need to know what they have to do.
In a recent survey of federal government IT influencers and decision makers, 87% said that network visibility is a strong or moderate enabler of cloud infrastructure. Cloud visibility is an art in its own right, and it’s vital for cloud security.
Services on the IaaS and PaaS levels are, for practical purposes, simply additional machines on the network. However, they’re much more dynamic and elastic. Virtual machines come into being when needed and vanish a minute later. Containers multiply by the thousands, each one running one or more processes.
SaaS puts more of the management burden on the provider, but the customer has important responsibilities. Its power comes largely from its integration with other services. A popular service such as Salesforce could have connections to email, payment, conferencing, database, and analytics systems. These connections need to be monitored for improper use and data leaks. Unauthorized access at any point could let an intruder get at the data from all of them if they aren’t sufficiently separated.
If a business uses cloud services from multiple providers, the situation gets more complicated. They talk not only to on-premises systems but to each other, so the data paths never go through the machines the network directly controls. Fortunately, cloud services provide ways to monitor and log their interactions with other services.
Cloud services are apt to proliferate as separate groups make their respective business decisions. Money is wasted on redundant expenditures. Keeping cloud usage visible lets a business plan its cloud expenditures more wisely and economically.
A hasty move to the cloud can hurt network visibility. Monitoring of on-premises systems uses well-known methods. Finding new tools and techniques is necessary. IT departments may have to play catch-up to make sure they keep all the network services in their sights.
Mobile and IoT issues
Even the smallest devices pack a lot of computing power. At the same time, they’re the hardest to keep track of. Devices on the Internet of Things are everywhere, and they’re easy to forget. It’s been estimated that 35 billion IoT devices will be in use by the start of 2021. That’s more than four for every person in the world. Applying security patches to them is often difficult or impossible, so they pose a risk out of proportion to their size. Keeping them visible and tracking their activity is essential.
IoT devices are a problem because there are so many of them and they have limited management capabilities. They’re notorious security risks and favorite targets for botnet malware. Infecting them in large numbers gives criminals a tool for DDoS attacks and vulnerability probing on a large scale. Without thorough network visibility, their activity might not be spotted for a long time, if ever. Unimportant as they seem individually, visibility of IoT devices and their network behavior is crucial.
Mobile phones and tablets present a different but related problem. Employees like BYOD policies, which let them use their familiar personal devices at work. Smartphones and tablets come and go, and an organization can’t control them as tightly as its own devices. They aren’t an easily tracked inventory but an ongoing flow of new devices with limited central control.
Remote access over a VPN raises similar concerns. Employees who have to work from home use their own machines, and they aren’t as tightly controlled as computers that a company owns or leases. New machines will appear from time to time. If an employee loses control of an access key, the VPN could be compromised. Tracking the activity of off-site machines and identifying anomalies is hard but important.
A fully visible network needs to keep track of all its devices, including IoT and mobile devices. It has to track how much they’re using in network resources. When they do something dangerous, administrators and security teams should be able to locate the source of the activity quickly.
Wireless networks
Wi-Fi supports mobile devices and reduces the need for cabling. A company that uses it in its network, though, has to use it intelligently. They need to employ secure protocols so they won’t be vulnerable points. Unauthorized access points may appear, perhaps installed by employees who find the existing ones inadequate. If access points are overloaded, upgrading them will make everyone’s work easier.
With the right visibility tools, network managers can make sure that wireless access points are working well and aren’t security risks. They can decide where the wireless network needs enhancement.
Organizational opportunities and benefits
The benefits of network visibility go far beyond the IT department. A highly visible network gives a business a better return on investment and reduces the chances of unexpected costs.
-
- Planning for growth: Knowing how heavily network paths are being used aids in planning upgrades. The identification of overloaded devices and inadequate data rates will let a business choose the expenditures that will give the greatest performance improvement for the money.
-
- Budget allocation: The more that is known about network traffic, the more accurately a company can allocate costs among its departments and activities. It can better determine which parts are profitable and which have higher costs than expected. Where costs are excessive, it can look for less expensive alternatives.
-
- Reducing shadow IT: Shadow IT isn’t always bad as such, but it’s hard to track it and attribute IT costs accurately. Redundancy when several departments are independently using the same service or licensing the same software increases expenses. Done wrong, as it often is, it opens up security risks. Knowing what resources everyone is using makes it easier to coordinate them and keep costs down.
-
- Discovering excessive personal use: Most organizations accept some level of personal use of the network, but it can run to excess. If watching videos or playing games consumes a significant proportion of the available bandwidth, it’s important to know about it and decide what to do.
-
- Setting policies: After finding out how network resources are being used, an organization can intelligently set its policies. They can limit the use of personal devices, restrict or prohibit the use of some sites and services, or prescribe authorization procedures. It’s also possible that the information from internal monitoring will show that there’s nothing important to clamp down on.
-
- Selecting preferred services: Visibility helps in consolidating the use of similar services. Consolidation aids in the communication of data between groups and reduces costs. If no one knows that the redundancy exists, it isn’t possible to replace it with a more consistent system. The more that is known about its network, the more readily a company can make informed decisions about which services to use.
Seeing and foreseeing
The nineteenth-century economist Frederic Bastiat wrote:
In the department of economy, an act, a habit, an institution, a law, gives birth not only to an effect, but to a series of effects. Of these effects, the first only is immediate; it manifests itself simultaneously with its cause — it is seen. The others unfold in succession — they are not seen: it is well for us, if they are foreseen.
This is true not only of national economic policy but of network management. Visibility starts with the current situation, with what is seen, but it continues into foreseeing future developments. Network visibility with analytic tools lets an organization extrapolate its future resource usage.
Is the use of certain services constantly increasing? Are some intrusion tactics becoming more common? Is the Internet connection’s bandwidth approaching saturation? Is downtime getting better or worse? Information on these points lets management foresee future requirements. Systems and subscriptions can be expanded or reconfigured to anticipate the needs of next year or five years from now. Upgrading based on advance planning is less expensive and disruptive than upgrading to fix an immediate problem.
How to improve network visibility
Without constant effort, network visibility will decrease over time. Configurations change, machines and cloud services are added, and the network keeps growing in size and complexity. Keeping a steady level of visibility requires constant effort. However, Improving it, if it was inadequate, requires even more.
No single tool will cover every corner of a network. A variety of methods are needed to cover Internet traffic, internal connections, servers, workstations, access points, IoT devices, and mobile devices. As the systems evolve, new techniques will have to be added.
BitLyft AIR® offers a comprehensive approach to network security and visibility. It includes SIEM to keep an eye on every part of the network and SOAR to orchestrate tools and automate the tracking of information flows. A Security Operations Center backs up the tools with expert analysis. Any serious anomalies in your network will get prompt attention. To learn more about how we can improve your network visibility, schedule a consultation with one of our experts.
