In the 90s, when you thought about computer security, you might have thought first of antivirus programs installed on individual computers. This mindset has persisted to the present day, where even enterprise-level security efforts are heavily focused on individual devices or hosts.

Your average security operations center (SOC) expends a great deal of energy installing endpoint detection and response (EDR) software on devices, and instrumenting computers within enterprise environments to log their activities and share those logs to a central manager or security incident and event management (SIEM) system for analysis.

The idea of individual computers as the optimal unit for observation and protection is sticky, and still valuable, but the next big step in enterprise cybersecurity requires that CISOs think about a bigger, more holistic target for observation and protection: the enterprise network itself.

Network Visibility Is The Missing Piece

In Gartner’s SOC Visibility Triad, the three cornerstones are endpoint visibility, log analysis (SIEM), and network detection and response. While two of these are widely deployed and used in the SOC, the network is too often underutilized as a data source for security analytics.

Recent survey results from the SANS Institute on the state of incident response (IR) and the state of security operations (SecOps) as a whole strongly suggest that network visibility is the biggest gap for modern cybersecurity. For organizations that want to move up the security maturity curve and reduce their chances of hitting the headlines for a data breach, the next step is clear.

This article will highlight a few of the data points from the SANS IR survey indicating why and how enterprises should take the critical step of integrating network visibility into their IR and SecOps initiatives.

Over 50% Of Incident Response Professionals Want, But Have Difficulty Accessing, Network Data

Incident response pros see the value of network visibility, but too often they just can’t get at it. Over half of respondents said they want network data for IR, but that it is difficult or impossible for them to access. This makes it harder to stitch together the sequence of events involved in an incident or data breach, and hinders the IR team’s ability to progress from detection to containment to remediation of an incident.

Organizational Silos And Lack Of Budget For Tools Are Among The Top Impediments To Successful IR
After the always looming skills shortage, two of the top impediments cited by IR professionals were lack of budget for new tools (48%) and organizational silos (28%). These impediments feed and amplify each other in totally unnecessary ways as budget is expended on duplicate efforts for different teams. If teams broke down silos and shared tools, they could see even greater operational efficiencies at no additional cost.

For example, many organizations already have network monitoring tools in use by their IT departments. Sharing that data with the incident response team could fill this visibility gap without biting into the budget. Reducing the organizational siloing between security operations, IR, and network operations teams can offer relief against the budgetary complaint and the lack of network visibility.

Integrating the tools and datasets in use by these teams is rapidly shifting from a nicety to a requirement for forward-thinking enterprises, but moving past decades of divided workflows and distinct team cultures isn’t always easy. You can learn more about how today’s enterprises are bridging the gap between NetOps and SecOps in this strategic report from EMA Research.

Network-Based Detection Tools Get The Highest Satisfaction Rating

In the SANS survey on the state of security operations in 2019, network-based detection tools outranked “host-based tools that depend on agents being present on every endpoint” for satisfaction. This strongly implies that many SecOps teams do have access to network data that could be shared with other teams! For organizations where SecOps and IR are siloed from each other, a huge opportunity exists to share the network visibility wealth.

After reviewing the data gathered from hundreds of incident response professionals and cybersecurity executives, the theme that SANS identified for their report was: “It’s time for a change,” and the change to which they refer is the accelerated adoption of network visibility by IR teams.

We couldn’t agree more. In fact, network visibility forms the foundational level of the SOC Visibility Triad, a framework from Gartner to help enterprises secure their modern environments. Learn about your options for network detection and response (NDR) and how they complement and extend other sources of security visibility in this overview blog.

Published on