The Travel Bug: NetSec Edition
By Mal Fitzgerald, Sales Engineer
As a network admin, I planned, built, maintained, and monitored networks for years. I was lucky enough to travel the world, implementing my network designs in every office my company owned and operated, many times in countries with massive logistical challenges.
This level of control over design and implementation turned out to be both a gift and a curse. It afforded me the luxury of knowing how the networks were planned and designed, arguably making the monitoring and visibility of those networks much easier, but it also put the expectation of such monitoring and maintaining squarely on my shoulders.
During the course of my time running these networks, I utilized numerous tools and platforms in an attempt to monitor these networks as well as keep outages and security concerns to a minimum. Every tool brought its strengths, such as the ability to dashboard my environment using my photographer’s eye, or canned, out-of-the-box detections to help understand when my network might have deviated from the norm. While each tool had strengths, they also, unfortunately, had some weaknesses.
The most glaring weakness was simply blind spots. Every tool I used had some shortcomings in taking in data from different parts of my network, leaving me with obvious blind spots I would supplement with even more tools. Secondly, dashboard sprawl and dashboard by committee were too cumbersome to get my colleagues to learn and utilize the platforms.
Finally, those out-of-the-box detections would be too bland. My network is uniquely my network, with its own traffic patterns and asset reliances. With no way to build and apply context around the assets in order to fully mold my detections, it became a one size fits all hat, and that hat usually didn’t fit all that well.
What I needed was a three-pronged approach to network and network security monitoring.
First, I need real, complete network visibility. It cannot stop at the data center and leave all my remote sites blind. It cannot sit only at the core and ignore collision areas. It cannot ignore the public cloud providers and hope another tool will handle that part of the network. I need a tool that can normalize data from every inch of my network so I can go from big picture, down to small ones, or, gasp, show me when my assets cross those different network boundaries.
Second, I want to be able to build dashboards that fit my workflow and style, but be able to quickly filter the dashboard by site, subnet, or source, thereby making them “dynamic”. This means my experience is repeatable, easy to understand, and keeps me away from the dreaded “dashboard sprawl”. Clear, dynamic dashboards that can explain what an analyst is looking at, and the ability to simply change the view to a different part of the network without switching dashboards softens the barrier to adoption for all of my colleagues.
Lastly, I need the ability to mark, tag, or label my assets as I see fit. I know which assets are domain controllers on my network. I know which web servers can converse with which database servers. I know which assets are DNS servers and I know which DNS servers are allowed to recurse out to the internet. I’ve built these policies and need my monitoring platform to utilize this intel. Once I’ve got my assets marked, I then need to be able to quickly and easily (without having to round the moon) implement detections when one of my assets is performing outside of these set policies. This now ensures my detections are not simply the same ones the vendor’s 300 other customers receive, but actually tailored SPECIFICALLY to my environment, making them far more valuable, and with far fewer false positives.
That’s what we’ve built here at Netography. We’ve given network security engineers the ability to monitor their entire network from the same portal, no matter the location of network traffic, with no hardware to deploy. Within that portal, which we call a Network Defense Platform (NDP), we have delivered the ability to visualize, investigate, detect, and respond to that data quickly and efficiently. Our powerful dynamic dashboarding capabilities, combined with a natural language query system allow ease of use and lightning-fast learning when faced with large-scale, diverse networks. We then incorporated tagging and labeling so you can truly make that network your own. Finally, we have a simple-to-use detection capability utilizing that same natural language querying so you and your analysts can build the right detections tailored to your experience. That way you know the detections you are reviewing are specific to your environment.
So the next time you stand up a new network, be it a new office, cloud provider, or even brand-spanking new data center, you can be assured you will have a single tool that you are your network and security operations colleagues can utilize to monitor that network without needing to play swivel chair security or that old game of telephone (remember those cans and wires?) to solve issues.