Beyond IP Addresses: Getting to Context of Value
By Dan Ramaswami, Vice President of Field Engineering
Netography is shaking up conventional ways of addressing network visibility and control because the approach the security industry has taken historically is no longer effective as networks become atomized. One important paradigm shift is in how we detect threats and behaviors. Instead of the classic “IP address to IP address” mode of looking at communications, we’re shifting to “who is doing what with what”. The approach is allowing operational teams to mine data differently and be more proactive. Even during and after an attack, customers are able to find and stop the bleeding faster.
Think about firewall logs which use information including source IP/destination IP, source port/destination port, and the size and duration of the conversation to determine if something should be denied or allowed. Today, detection and response isn’t solely about IP to IP communications and blocking it. It’s about determining which user is accessing which application, at what time, from which device, to determine if something is malicious or even out of compliance or of concern to governance. Netography collects flow data – metadata that is very similar to that of firewall logs – both from on-prem devices and cloud providers, and then decorates this metadata with organizational context at ingestion. Customers instantly have all the information they need so they can make better detection and response decisions more easily and faster.
From IP to IP, to person to service and more
With the heightened focus on social media platform usage, here’s a timely scenario that illustrates the difference between the two approaches. Say you have information that this IP address is talking to that IP address. Then you look at the time and it’s 3:00 am. Drilling down further, you see that the communication is happening over port 443 and that the IP address it is talking to is a TikTok address. Is that normal and is that ok?
When we apply context, we shift the IP to IP view to a contextual view which shows that it’s your sales administrator looking at TikTok from their workstation in the office at 3:00 am. Does anyone else see a problem with this? Because I do. It’s pretty clear this is a connection that we should tear down, and put safeguards in place to prevent in the future.
On the other hand, let’s say that additional context indicates it was a security guard’s cell phone on the guest network accessing TikTok. It’s somewhat disconcerting that your security guard is looking at TikTok at 3:00 am because that means they aren’t looking at your security monitors at 3:00 am. But it’s probably not as concerning as in the first scenario because the guest network is walled off and treated like a DMZ.
The point is that unlike looking at IP to IP traffic only, contextually relevant information enables us to delineate and detect what’s right and wrong with confidence to take action.
Getting to context of value
So, how do you go about gathering all this information? Context lives in all kinds of places.
- Endpoint detection and response (EDR) systems provide a fantastic amount of information about the endpoint, including who logged in, the last time policies were updated, patch levels, and BIOS information.
- Configuration management databases (CMDB) can tell us what patch levels should be so we can compare that to what the EDR says they actually are.
- Active Directory provides a lot of organizational information about the user, including what department they are in, their management structure, and where they are physically located.
- We can import network infrastructure from repositories such as Confluence, and use this to identify physical IP locations.
There’s a ton of information to glean from these data sources, and when we use it to decorate the flow data a whole new realm of network visibility and control opens up. Whether you’re in hunting or response mode, knowing what you have to worry about and identifying what you don’t have to chase can mean the difference between a waste of time, or a minor incident versus a major headache.
Winnow the wheat from the chaff
However, customers also have to figure out what context is important, not just where to get it. You can run into data storage constraints when you apply context labels to every piece of data that is available. The trick is to think through what is important within the construct of a point in time and an occurrence to understand what data points are relevant to make a decision.
At Netography, part of our customer experience (CX) approach is to work with customers to ferret out context of value, which is different for every organization. Back to our TikTok example, some organizations have policies that state no one can use any social media or media distribution outlet. Others say marketing can use all platforms, sales can use some, and partners and contractors can’t use any. Being selective about the data we need (e.g., the department a user is in and perhaps their grade level) and what we don’t (e.g., a user’s cell phone number) allows us to very clearly delineate behavior that is in scope or out of scope for the user’s area of responsibility and ensure constraints are being adhered to.
Way beyond IPs, context of value is where we need to be right now and our CX team will help you get there.