As I’ve talked to numerous organizations about their Zero Trust journeys, one thing has stood out quite clearly: Security teams are struggling to understand what’s happening on their networks. While Zero Trust demands that you design your security architecture to protect everything in your organization as if it’s connected directly to the internet, the reality for practitioners is quite different. Corporate networks, OT networks, and so many other end user-managed networks haven’t magically disappeared, nor has the interconnectedness of those networks with cloud resources and anything else they’re accessing to get their jobs done. In some cases, that could even be their own employees’ networks. So how do security practitioners get the visibility they need?
The Log Ingestion Train To Nowhere
The number one question I get from security practitioners on the networking side of things as either a tactical or strategic question is “How can we get visibility into what’s happening on our network without all the manual work of analyzing network logs?” When I ask them what they’re doing today, they tell me that they were told to dump their network logs into their SIEM or security analytics solutions to analyze and investigate for badness. Unfortunately, they also say they’re strapped for time, resources, or bandwidth (that’s a networking joke) for analyzing the volume of network data with all their other competing priorities. All the while, they’re pouring money down the drain in terms of ingestion and storage costs with unrealized use cases, a lighter wallet, and a very sad SOC.
Security Teams Have An Opportunity To NAV-igate To A Better Way
In my most recent report, Now Tech: Network Analysis And Visibility (NAV), Q4 2021, I took a pulse on the network analysis and visibility space, expecting to see it well saturated with the same players that were there from my time as a security architect. I was shocked and delighted to see the innovation taking place to make threat detection across hybrid infrastructure (yes, both in the cloud, on-prem, and even incorporating ZTE/SASE solutions) significantly easier than it has been in the past.
NAV solutions offer up front network traffic analysis for threat detection and shine light on forgotten enterprise assets (here’s looking at you, weird, forgotten about Windows 2000 machine that’s running some legacy business app that everyone depends on). Oh, and shocker, you’ll find that most solutions require some sort of integration in order to respond to threats, so be prepared to incorporate that into your evaluation of the NAV vendors that make your shortlist.
As your enterprise pursues its security architecture goals, whether in the pursuit of Zero Trust or something else, take the following steps:
- Replace manual network analysis processes or tools. You may have an intrusion detection system (IDS) or some other system that you’re using to monitor part of your network that is taking significant operational overhead to manage for very little value. NAV solutions can, in a lot of cases, replace IDS with significantly more value, such as having insight into traffic that is going outbound, coming inbound, and moving internally in your network. You’ll be able to cover N/S/E/W traffic without necessarily managing the tediousness of IDS rules and overhead.
- Incorporate technologies such as NAV that help address your visibility gaps. These solutions can help detect early signs of ransomware or other destructive attacks well before they’re executed.
- Match your requirements to the kind of NAV solution you’re looking for. There are point solutions that will detect threats out of the box in network traffic but require a SIEM/security analytics solution for additional correlation to other security telemetry. There are NAV-plus solutions that allow you to natively integrate your EDR, IDaaS, and so much more for additional threat detection and correlation. There are security analytics platforms with NAV as an add-on where the network traffic is ingested into and where you can create your own detections and correlations. Finally, there are solutions (such as XDR) that offer NAV as a feature in which the sensors are deployed just like the other segments but all the analytics or threat detection is done automatically with the other sources of telemetry. I highly recommend checking out my colleague Allie Mellen’s report on XDR for guidance on the last piece.
Look out for my upcoming Forrester Wave™ report on the NAV solutions that are out there. The Wave analysis will arm your security team with an evaluation of the space to help drive you toward the right solution for your use cases.
If you have any interesting use cases or insights you’d like to share, please don’t hesitate to reach out to me on Twitter or LinkedIn. If you’re a Forrester client looking for advice or don’t know where to start, get an inquiry set up with me, and I’ll be happy to help you out!