24 Mar Getting Network Visibility into East-West Traffic
Getting highly granular “everywhere” visibility continues to be a significant challenge for organizations as they work to protect their networks from threats. Traditionally, companies have prioritized monitoring and securing north-south traffic (traffic coming onto and leaving from an enterprise network to an external network such as the Internet) over east-west traffic (traffic that remains within the enterprise’s network perimeter). While the majority of security professionals certainly understand the risk of not monitoring and securing east-west traffic, other priorities and key drivers (like cost, complexity, resource, etc.) often impact whether or not they act.
Research shows value in monitoring east-west traffic because security threats inevitably make their way past perimeter defenses – for example, half of all malware in Q3 2019 was zero-day and would not have been caught by signature-based network perimeter defenses. When combined with the fact that on average it takes 206 days for a company to detect a network breach, and an additional 73 days to contain it (according to a recent Ponemon/IBM report), this data should put to rest any lingering doubts about pursuing east-west visibility.
The mantra espoused today is that there are two types of organizations: 1) those who have been hit by a cyberattack, and 2) those who don’t know they’ve been hit by a cyberattack. It’s not whether an organization will be hit, but when and how the team will respond when it finds out it has happened. There remain some common misconceptions about east-west network visibility, even among organizations that understand its importance. Here are two big ones:
Instrumenting a Network for East-West Traffic Monitoring is Hard
Networks are complex and historically difficult to instrument for visibility. That reality has changed dramatically over the past two years. While many security professionals still feel they don’t have the resources or time to set up the infrastructure needed to monitor east-west traffic, powerful and convenient sensor technology paired with centralized monitoring and management consoles are changing the game.
New, NextGen IDS/IPS platforms allow organizations to more easily instrument their networks for comprehensive east-west visibility. The idea that organizations need to set up 10-20 servers across their network – all of which need to be managed, maintained and troubleshot individually, often through a command-line interface – is no longer true.
Having the ability to rapidly identify, act and remediate network threats with a single, integrated platform is a powerful promise. Historically, tools have been single-purpose and siloed, and organizations struggle with security tool sprawl and manual efforts to integrate data flows across them. But new platforms (like Bricata) combine best-of-breed technologies in easy-to-deploy sensors and then give security teams a centralized console from which to manage the sensors, monitor the network, and protect the enterprise. This empowers them to mitigate threats both reactively (via alerts) or proactively (with threat hunting).
Vetting Malicious Internal Traffic is Complex and Time-Consuming
Indicators of compromise (IoCs) in east-west traffic can be different from those found in north-south traffic, leading many security professionals to question if they have the resources or knowledge to deal with this different type of activity. Perimeter security mostly (but not entirely) relies on signatures and threat intelligence feeds from services such as Cisco Talos, ProofPoint ET Pro, Critical Stack, Virus Total and more. Analysts often balk at the idea of creating an entire set of new policies and signatures from scratch for east-west traffic, but the idea that this can’t be streamlined and automated is false.
For example, in east-west traffic security pros often need to look for traffic that results from attackers surveilling and mapping the network with tools like Nmap, scanning for vulnerabilities or open ports they can exploit, and/or moving files around. Security tools like Suricata and Zeek can be integrated into comprehensive IDS/IPS platforms (using sensors spread throughout the network) to automate the process of identifying malicious traffic and files. While there are fewer third-party resources for east-west threat signatures, rules and policies, the ones that do exist are growing rapidly. And there are also other services for cross-referencing unknown file hashes and sending them to virtual sandboxes for detonation if need be.
Furthermore, teams often try to work around the lack of east-west visibility by using DNS logs, but at best this method only provides a partial view of network activity – and it can be easily manipulated to provide an inaccurate one. This highlights the importance of having NetGen IDS/IPS sensor technology that ‘sees’ (PCAPs) and reports on (network metadata) exactly what is being transmitted on the network.
High-Quality East-West Visibility and Threat Detection is Here Today
A lack of east-west visibility can leave organizations blind to threats lurking on their internal networks for weeks or months – giving attackers enough time to establish resilient positions throughout the network, to surveil the network, to exfiltrate valuable data, and to disrupt a business’ normal operations. Bricata comes with powerful and easy-to-deploy sensors, centralized management, and open APIs for integration with third-party tools making it convenient to add east-west visibility to your already strong north-south defenses. Because it’s easy, you’ll do it. Because it’s powerful, it’ll protect your network.
If you enjoyed this post, you might also like:
- Webinar: Enhancing Network Security Through Automation and Enrichment
- eBook: The Four Pillars of Network Security
- Blog Post: Open Source Security Software: Takeaways From a Case Study on DIY Fatigue