Don’t Misdefine Network Security in 2024: Include On-Prem and Cloud
By Martin Roesch
It’s always worth examining why things are the way that they are. So, why does network security only exist in on-prem networks and not in cloud networks? The theory of the cloud was that we shouldn’t have to worry about the network. Unfortunately, that’s not true. The reality is that because traditional approaches for on-prem network security that rely on Deep Packet Inspection (DPI) have never worked very well in the cloud, we went down the path of reinventing host-based security and log analytics for the cloud. Driving to an architecture that would work for network security in the cloud just wasn’t prioritized.
So today, in many ways, it’s 1995 in the cloud regarding security, with log analysis and endpoint security, while network security beyond firewalling isn’t really in the mix. That’s a problem. Unless we expand our definition of network security to include on-prem and the cloud, we can’t effectively defend today’s modern enterprise networks.
Challenges when the cloud is not considered part of the network
As I’ve written about before, it’s possible to use DPI in the cloud, but it’s not practical. Putting an agent on devices to inspect traffic creates management problems, not to mention the expense of the compute horsepower and memory required to do the inspection. Additionally, for a number of reasons related to privacy, security, and architecture, cloud providers generally don’t provide packets for inspection at scale.
However, there is a lot of valuable security information available on the cloud network. If you don’t have a good way to gather and analyze this data, you’re missing out on opportunities for greater comprehension of what’s happening minute-to-minute and detecting activities that are otherwise hard to detect in order to respond.
For example, you are likely to miss things that should never happen. Activities by the participants in the cloud – your users, applications, and devices – can indicate misconfiguration, a serious policy violation, or an attack. But they often don’t get picked up by log analysis because log management platforms are set up to look for specific things, typically if everything is working the way that it should and if anything matches the pattern of a known attack. Looking for what should never occur is not an out-of-the-box experience for the most part; it requires knowledge of the network and the participants, as well as instrumentation. When something truly goes off the rails, it won’t show up in dashboards or reports if the platform wasn’t instrumented to do that, so you aren’t going to see it.
It’s also difficult to know with a high degree of certainty what is happening. There’s an inherent problem with letting the endpoint, the server, or the workload that’s facing the attack generate telemetry about what’s going on. A sophisticated attacker that takes control of a machine can turn the logging mechanisms off, disable agents, or even scrub the logs. It’s like Neo in the movie The Matrix. We don’t know if what we are experiencing is actually happening or if it is a response to a stimulus that someone is manipulating.
A distinct advantage of inspecting at the network level – on-prem and in the cloud – is that the network itself is a source of ground truth. You get a record of activity that happened on the network, and that’s it. It’s not as brittle as system-hosed log-based solutions because the network infrastructure itself is generating this data, not the endpoint, the server, or the workload that may be under attack. As with DPI, the packets on the wire are factually there, and you can see them and the flow records that we operate on represent activity that has actually happened.
Portions of on-prem networks are also left behind
In on-prem environments that are increasingly dispersed, it’s problematic to get traditional DPI capability everywhere you need it. The ephemeral nature of workloads makes it difficult to have capability when you need it. Encryption increases costs massively to do inspection. And the diversity of the environments – which often include OT and IoT environments – compounds the complexity even more.
Not to mention, the classic DPI model is primarily geared toward inspecting North-South traffic for threats, and that’s turned into the “alert cannon” where often 99.X% of the data it delivers to you is not useful. Due to the architectures of the systems, budgets are rarely large enough to support inspection everywhere on the network. So, organizations make tradeoffs and typically can’t look at East-West traffic because the expense of a comprehensive DPI deployment is not something most organizations can bear. Activities that would be easy to pick up and reveal very distinct signs of compromise are missed in a North-South-only DPI environment.
Our definition of network security must be inclusive
We’re now 20 years down the road since the cloud got on the radar, entering our fifth year since the pandemic and mass migration to the cloud, and dealing with a bifurcation of network security with different sets of tools for on-prem and the cloud, none of which address our needs particularly well. Very few people stop to think about how modern enterprise networks have evolved and if we really want to keep trying to defend our networks using tools with architectures cemented in the 90s and early 2000s.
At Netography, that’s the thinking we’ve done and the challenge we have architected for. We believe network security should provide the capability to understand the users, applications, and devices across your entire environment – what they are doing and what is happening to them – in order to detect compromise and misuse and take action. That definition is the same, whether on-prem or cloud. How we approach network security can and should be the same because the same foundations of computing underlie both on-prem and cloud networks.
Our Network Defense Platform (NDP) operates at that foundational level to present a comprehensive and reliable picture of what is happening in both your on-prem environment and your multi-cloud world. Whether Amazon Web Services, Google Cloud, IBM Cloud, Microsoft Azure, or Oracle Cloud, network activity is network activity, and the transactional records are the same.
Leveraging enriched metadata, Netography Fusion® characterizes and analyzes the activities of all the participants in an environment using context to add richness to the conversations and activities happening between them. Inspecting North-South and East-West traffic equally well at scale, you see the activities and the changes in the activities to detect what should never happen so you can take action.
As a cloud-native platform, you can deploy Netography Fusion where and when you need it. And a single console delivers the same experience to all your security teams. Breaking down walls that have existed for decades, with Netography Fusion, we are enabling network security everywhere with a holistic approach that encompasses today’s hybrid environments.