Today we’re discussing network instrumentation with Bricata Chief Product Officer Andre Ludwig. Our interview covers why instrumentation is needed, the state of network instrumentation in most enterprises today, the risks of not having enough instrumentation, the benefits of having more, and what to consider as you increase instrumentation across your network.
1) Why is network instrumentation needed
AL: The goal of network instrumentation is to gain better situational awareness about your network. With improved situational awareness, you can engage in more informed actions that benefit threat and anomaly detection, improve remediation, and enable more effective threat hunting. Network instrumentation allows you to improve your understanding of everything happening on the network, from the basics, who is talking to whom and the applications on the network, to the more complex, such as specific exchanges and conversations down to the protocol level and everything in between.
2) What is not being done today and why?
AL: Infrastructure constraints and sensor performance have historically made it difficult and expensive to deploy sensors to extract network traffic data and provide intrusion detection system (IDS) capabilities. As a result, most companies have only deployed a limited number of sensors, which means they aren’t even getting complete network visibility and instrumentation of their most critical assets.
In addition, most sensors serve only a single purpose, which I feel is at odds with the needs of comprehensive network security monitoring. A complete view requires typical IDS information and something akin to network traffic analysis (NTA) capabilities for metadata generation and analysis. As a result, two or more sensors are usually required at each location just to gather and process the types of data security organizations need. And, each sensor must be individually, and usually manually, managed and administered. In most cases, sensors are hardware-based, so there are physical limitations on where they can be deployed, especially in cloud-based environments.
3) Why does lack of instrumentation impact a company’s security risk?
AL: Since you can’t monitor what you can’t see, any uninstrumented location on your network should be considered a vulnerability. That said, companies should try to instrument as much of the network as possible and prioritize instrumenting their most important assets and locations.
Companies can’t feasibly instrument everything, due to budget, resource and data volume constraints that impact them. Therefore, each security team has to make decisions about what and how many resources to use, where on the network to put those resources, and at what level to instrument network traffic, i.e. gathering all of the data or just some of it.
4) What should companies instrument?
AL: The most important locations to instrument are the areas on your network where your most sensitive information is stored and processed. Since they pose the greatest risk to an organization if compromised, visibility into these resources is critical.
In addition to the most sensitive assets, your security team should prioritize where to place additional sensors based on what they know about the details of your network. No reasonable security team will ever decide to instrument everything on their network, even if they have unlimited resources, as this would produce data volumes far too unwieldy to easily store or manage. Being informed and judicious are key to striking a balance between generating the right data, in the right volumes, to match your organization’s operational maturity and tempo.
5) How much east-west traffic are most companies instrumenting today?
AL:Not much. Almost every network has significant gaps. No one has instrumented all of their sensitive assets. Most companies are just beginning to look at monitoring east-west traffic. Of those that are, only 10% to 20% are starting to think about how to monitor cloud workloads.
The three main reasons for these gaps are cost issues, lack of support for existing security controls as companies migrate to the cloud, and inflexible systems that don’t support new cloud or data center deployments.
6) Why do software-based sensors help improve network instrumentation and security?
AL: Software-based sensors help in a number of ways. First, companies can deploy more of them as they are less costly to install and maintain. Second, since they don’t require appliances, software-based sensors are more flexible in terms of where they can be deployed – they can be installed in more locations. Finally, some allow you to capture multiple types of data and can be configured to capture either all of the data or just some of it.
It is important to note that sometimes software-based sensors are a company’s only option, especially in hybrid or cloud environments. They can help eliminate many of the blind spots companies encounter as they transition from the data center to the cloud.
7) How do Bricata sensors help improve network instrumentation and monitoring?
AL:Bricata sensors are software-based, so you can easily place them anywhere you want, even in locations where you couldn’t place sensors before. Each Bricata sensor captures a range of data types, not just one, so you can deploy fewer sensors per location. Licensing is based on the amount of bandwidth you monitor, instead of per sensor, so Bricata sensors are extremely cost effective. Sensor updates and maintenance are performed automatically from a single location to reduce administrative burdens.
You also have a lot of choices about the types and granularity of data each Bricata sensor generates. For example: Do you want Suricata, Zeek or both? How many Suricata signatures are you using? Five or 10,000? What scripts and log sets are you generating in Zeek?
The level of flexibility Bricata sensors provide allows you to get visibility into locations where you don’t need complete visibility, but you might want some. Or, you can add Bricata sensors across your entire network and then adjust their depth of instrumentation based on what you find or each area’s level of importance or risk profile.
8) Any final thoughts?
AL: Software-based sensors from Bricata allow you to improve your company’s security and reduce risk because you can cost effectively deploy network instrumentation anywhere you need it. In future blogs, I’ll discuss more technical details about what to consider when deploying and configuring sensors for use on premises and in cloud environments. Remember: The more you instrument the more you detect.
Andre Ludwig is Chief Product Officer at Bricata. He leads the strategic direction and development of the company’s network security platform. Andre has spent more than 20 years working in cybersecurity technical roles and over 10 years in executive positions in product management and development. Previously Andre founded and ran Capital One’s Cyber Security ML practice (CyberML) and served as CEO of the Honeynet Project and CTO of the Global Cyber Alliance.