There’s a growing belief that the network is dead. On the contrary, the network has never been more important for effective cyber security.
There’s a reason the “network is dead” line gets so much traction: things have changed a lot in a short amount of time. There’s been substantial growth in connectivity. Between VPNs and other tools, mobile devices, and Internet of Things (IoT) technology, networks don’t look the same as they did a decade ago. Consider also the increased connectivity from third-party partnerships and supply chains.
Just because the network has changed doesn’t mean it’s futile. There’s a saying in the security and IT world: the network doesn’t lie.
If an attacker finds a way inside your network, they’ll try to lay low to avoid detection. However, uploading attack tools or sending data from inside a network out generates activity that could expose their presence or, at the very least, raise suspicions. Attackers know that the network could give them away, so they take the time to muddy their trail as best they can.
Unfortunately, it takes time and money to understand your network. Even defining what’s “normal” for your network is a challenge, let alone being able to distinguish between regular and irregular behaviour. Good news for the attacker, not so much for the victim.
So how can an organization protect something so vast and ever-changing? There are several methods, but network visibility is a great place to start.
What is network visibility?
Network visibility is the idea that you are aware of everything moving within and through your network, and defines your company’s normal. Network visibility is integral to cyber security, even helping you achieve the first step in cyber situational awareness which includes knowing your network, your threats, and how to respond to those threats.
Network visibility makes it possible to:
- Understand where your company’s data is and how it’s used
- Identify where network traffic is coming from and going to
- Determine what user behaviour is normal and abnormal
- Know what software is in use on your network
- Locate vulnerabilities or misconfigurations on your network
By defining what is standard on a network, you can spot user and system behaviours that don’t match that standard—a technique often called anomaly-based threat detection.
Clear visibility is the key to protecting your network. You need to actively look for security gaps and vulnerabilities, cyber attacks, and performance issues to find them. If you don’t find them, you can’t fix them.
Unfortunately, not enough businesses have visibility of their network. There could be several reasons why this is the case—they may not understand the importance of network visibility, for example, or lack the tools and resources to get started.
One study found that only 32% of small businesses in the UK monitor user activity on their networks (and therefore have some degree of visibility). The good news is network visibility is increasingly common in mid-sized and large organizations.
Network visibility varies from organization to organization; the goal is to strike a balance between too much and too little. Given how much data can be present on even the smallest network, it isn’t realistic to review and analyze everything that happens. And while too much data can be noisy, overwhelming, and impossible to parse through, not having enough could mean you miss critical events. This is why it’s become necessary to use tools and automation to get that deep visibility.
Before we cover how to get the right level of visibility, we should dive a bit deeper into the benefits.
Why network visibility is important
Improved cyber security and faster threat detection
Network visibility paints the picture of your normal and makes it much easier to identify and stop malicious behaviour as it happens. For example, you could see if an internal actor is sending a strange volume of files out of the network or if an unauthorized user is opening sensitive documents.
Some newer technologies—including IoT devices such as connected speakers, thermostats, and even some appliances—can’t be protected in the same way as a laptop or phone. IoT devices generally don’t have the technical capacity to run endpoint security tools or software. However, by monitoring these devices at the network level, you can detect threats or vulnerabilities and improve your defence.
For example, network visibility could allow you to detect when an IoT device starts sending volumes of data out of your network, which could indicate a potential cyber attack. You could also see when a new device connects to your network which may be important to note, even if it’s not immediately cause for concern.
In addition to reducing the likelihood of an attack, network visibility is also useful while investigating and remediating attacks. Improved monitoring accelerates how quickly you can identify and contain threats, ultimately reducing the risk and impact of an incident.
Reduced vulnerabilities and blind spots
Similarly, good network visibility can expose vulnerabilities and minimize blind spots across your whole network. This is more critical than ever as organizations continuously adopt new applications, software, and tools—all of which can create new vulnerabilities. A recent study found that at least 85% of commercial applications have one or more “critical” vulnerabilities that increase cyber risk and the potential for compromise.
With a more in-depth view of your network, you can proactively search for vulnerabilities, such as unpatched or legacy operating systems, and resolve them before they are exploited by an attacker or lead to a bigger problem. With corporate networks expanding to include third parties, partners, and the supply chain, knowing and resolving these vulnerabilities is crucial.
The World Economic Forum (WEF) recently released a report asking global cyber security leaders about their challenges and solutions. Nearly 90% of respondents reported concerns about the small and mid-size enterprises (SMEs) in their ecosystem. They believed that the “SMEs connected to an organization’s network represent most vulnerabilities and are increasingly a target of cyber attacks.”
Their concerns seem to be warranted. In the last two years, 40% of respondents experienced an attack within their digital ecosystem that negatively affected their organization.
Align with cyber security frameworks
Several frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, recommend monitoring and visibility as a critical part of any cyber security plan.
NIST released a report titled Security and Privacy Controls for Information Systems and Organizations. Among the many other controls listed in this report, NIST recommends that organizations monitor their systems to detect:
1. Attacks and indicators of potential attacks
2. Unauthorized local, network, and remote connections
NIST says organizations can do this by using internal monitoring capabilities or deploying monitoring devices across their system to analyze and detect abnormal events.
The Canadian Centre for Cyber Security makes the same recommendations in Annex 3A of the Security Control Catalogue.
Optimize your network’s performance
Networks have grown in scale and complexity, especially recently with the quick rise in remote work, which can lead to configuration problems and network performance issues.
So beyond simply being a means to improve cyber security, visibility makes it much easier to identify traffic bottlenecks, bandwidth challenges, or unresponsive hosts, minimize latency, and optimize network performance.
Three steps to achieving network visibility
1. Effective and reliable data collection
Whether you’re operating a small business or mid-size enterprise, using automated tools to gather and analyze critical data is an easy and cost-effective way to gain visibility. Networks create a lot of data, trying to sort through it all manually is inefficient.
Using a tool takes out the tedium. However, there are many threat monitoring solutions on the market, each with different features and capabilities. Many cyber security solutions rely on text-based logs for information and analysis—but that approach has its flaws.
Logs are simply a text-based record generated by a program as it operates. They don’t provide the deep detail needed to understand or analyze everything that’s happening on your network. Also, threat actors can manipulate logs before they’re generated or delete them after an attack to hide malicious activity from the victim organization.
To achieve better network visibility, look for a cyber security tool that goes beyond logging for deeper understanding of what’s happening on your network.
That said, network visibility is more than just collecting huge volumes of data and storing them in a central location just in case. Greater visibility also depends on intelligent threat and vulnerability detection and analysis.
2. Expert-assisted threat analysis
The second step in achieving network visibility is analysis. The goal is to recognize important trends, separate the unusual from the routine, and receive the results in a clear, digestible format.
Unfortunately, many threat monitoring and detection tools struggle with this. They fail to eliminate false positives, which are alerts that incorrectly indicate the existence of a vulnerability or malicious activity, or that classify benign activity as suspicious. False positives limit or blur your network visibility, take your attention away from the areas that need it, and may lead to alert fatigue.
What is alert fatigue?
Cyber security alert fatigue can set in when people are constantly exposed to threat alerts, and over time become desensitized to them. Alerts may take the form of individual emails or push notifications.
On average, each alert takes at least ten minutes to investigate—and all that time adds up. According to one report, 75% of businesses said they spend as much time addressing false positives as they do genuine incidents.
Think about alert fatigue this way. No one wants to get an alert from their front door security camera every time a neighbour walks by with their dog or a gust of wind blows tree branches within view.
The security camera would send you notifications constantly, and you’d feel inclined to ignore the alerts or turn the feature off. The same concept applies to cyber security tools, which brings us to the third important step in achieving network visibility.
3. Contextual, easy-to-understand alerts
Network visibility requires a true understanding of what is wrong—vulnerabilities, cyber attacks, and other issues—and how to resolve it. How findings and data are communicated to you is integral. What good is data analysis if the main message gets lost in translation?
Clear, concise language is vital for knowing what next steps to take after an alert. You know something suspicious or malicious is happening on your network—what should you do to address it?
Not every business has access to a fully staffed team of experienced cyber security professionals. Tools that deliver alerts without context into what’s happening and why aren’t practical. It’s not always clear what action to take if an alert says something like:
“Incomplete login session at 2:43 am on 188.8.131.52.”
Businesses need more context and insights into what’s happening on their network and what they need to do about it. Something like this would be far more helpful and provide greater understanding:
“There is a sustained brute-force attack by thousands of remote IPs against the Remote Desktop Service located on DESKTOP-PC10 (10.20.32.12). It is advisable to firewall this system from the Internet and implement a VPN-based solution for remote access. Keep reading for more detailed steps or contact our experts for further assistance.”
Tools that limit noise during analysis and add context for alerts help you save time, avoid burnout, and understand your network.
Finding the right tools for network visibility
Building network visibility can be relatively easy—assuming you have a cyber security solution with the right features and capabilities.
Networks are complex because they hold a massive volume and variety of data. But that complexity is worsened because networks are continuously in flux—adding and removing machines, changing configurations, and more. The result is a noisy environment that traditional cyber security tools can’t handle.
In response, many cyber security vendors say that the average organization needs several tools to cover network security needs. There’s one for handling traffic, another for mobile devices, another for servers, the list goes on. But that’s not exactly true. There are cyber security solutions on the market with the scalability and power needed to protect dynamic networks.
Covalence is a holistic cyber security solution covering your endpoints, network, and cloud all from one platform. It combines best-in-class network telemetry analysis with 24/7 support from cyber security experts for the world’s most in-depth network visibility. Covalence monitors all traffic to detect vulnerabilities and even the most sophisticated cyber attacks.
Get the network visibility you need to keep your company secure. Reach out to one of our experts today to learn more about Covalence.