Spring is the time of year to break out of the winter doldrums by cleaning out the pantry, brushing the cobwebs from the ceiling and reviewing your visibility profile. What better time than spring to make sure your network is as clean as your house.
Assign the Task
The very first step is to assign responsibility for a visibility and security review to a leader or a small team. If there is no specific assignment, you can be sure that the process will flounder. Smaller organizations may only have one individual as the team. The important part of an assignment process, is to make it a project, not a “when I get around to it” idea. Without a specific project assignment and report due date, you can be sure it will languish behind short term “crisis” priorities.
Process and Training
There are many aspects of a strong network security profile that are not equipment related. These areas are often overlooked in favor of reviewing links, firewalls and monitoring tools. The hardware aspect, of course, is important but these areas should also be reviewed.
A good place to start is to review monitoring and security processes against industry best practices. Some questions to ask are:
What security processes are in place today?
Is there a standard document outlining safe IT practices?
When was the last training session regarding existing processes?
Are non-IT personnel included in these trainings?
Address compliance issues with new government regulations that may have been passed since the last review.
Review software and firmware updates to be sure that systems are running the latest level. Do not forget to check remote equipment such as laptops and tablets that are used by other departments.
Monitoring and Security Tools
Networks grow fast. A year is a long time in technology. Link speeds increase. There may have been changes in physical media such as copper links going to fiber. New security and monitoring tools may have been added.
Many of the newer security tools offer faster processing. They also integrate machine learning and AI to predict traffic patterns and spot potential malicious anomalies. These new tools need complete and accurate information from the TAPs to which they are connected. TAPs make a mirror copy of the link traffic and pass that information to the tools. If the tools do not get complete and accurate information, their protection capabilities will be compromised. SPAN connections, for example, may drop packets which can skew the assumptions and predictions of the tools.
Connecting tools with TAPs should be consistent throughout the network. As mentioned above, if there are older security tools connected to links with SPAN ports and other newer tools that are connected via TAPs the results may not be ideal.
Reviewing visibility tools such as TAPs and Packet Brokers as well as security tools is critical to the continuity of your visibility strategy. As security tools are updated, visibility tools must also keep pace.
Visibility Tools Update
One important update that Network Critical has made to its SmartNA PortPlus packet broker is the addition of an Application Programming Interface (API). An API is a set of instructions that allow one machine to directly access the programming functions of another machine without human interface.
When connecting security tools that have advanced features such as AI, it is advantageous for the security tool to have direct access to quickly change traffic parameters, filters or configurations on the packet broker. For example, if the tool notices a change from a normal traffic pattern, it may want to look at a different subset of traffic data being supplied by the packet broker. Typically, that process will require a manual configuration change to the packet broker filters and port maps. With the API connection, the security tool can make the changes instantaneously without human intervention providing a quicker response time and potentially heading off a security incident.
Another upcoming update for Network Critical is support for TLS 1.3. Google, Apple and Microsoft will be deprecating their TLS 1.0 and 1.1 support that will affect visibility of their web traffic by certain tools. Being TLS 1.3 compliant will help tools that support 1.2 and the newer 1.3 versions provide better security, faster speeds and continued visibility. Stay tuned to our next blog for more information on this new development.