Rethinking Network Performance and Internal Security

Can a balance be struck between network performance and effective security in organizations?

If you consider the state of data breaches and think of it as a battle between security and the bad guys, it doesn’t require much to know that the bad guys have the advantage. Even after such catastrophic breaches, most organizations are still largely ineffective in identifying attack activities inside their networks quickly and curtailing them before most damage can occur. If the NSA cannot properly protect its cyber warfare tool arsenal and the world’s largest financial institutions with arguably the best security teams and resources fall prey to attackers, what hope is there for everyone else?

Clearly, the conventional approaches to security are not enough. Most organizations are realizing that perimeter security alone is a failed strategy and that advanced forms of security that utilize AI and machine learning to identify anomalous behaviors or the presence of malicious software are critical. While these types of security solutions are evolving to reach needed levels of fidelity and effectiveness, one of the major obstacles has been getting proper network traffic delivered to them. The systems need network visibility to both learn about network traffic and to spot abnormalities.

Proper traffic delivery has been difficult for multiple reasons. Even though most behavioral solutions do not need to be deployed in-line with network traffic, gaining access to a TAP or SPAN port involves getting approval from networking teams, who want to ensure network performance and reliability while eschewing unknown risks and potential impediments. Networking teams are tuned to resist or reject additional solutions. In addition, often TAP or SPAN ports are in short supply and may be needed for network monitoring, troubleshooting or performance assessments. Plus, these security systems need to receive traffic relevant to finding east-west activities inside the network and not be bogged down with unnecessary traffic, further complicating the delivery challenges.

In-line security solutions are also expected to advance and will prove to be more necessary as they find malicious activity—such as the attempted propagation of ransomware—and can automatically and immediately shut it down. Access for these solutions face even greater scrutiny from networking teams and the operating requirements are even tougher.

With the growing necessity of advanced internal security solutions and the recognition that the threat landscape and security practices and systems are continually evolving, it is important to establish a point in the network that can accommodate a necessary solution, while satisfying all requirements for both security and networking. If such a point can be established to meet all the demands and concerns of networking and serve as a “pre-approved” point to simply plug in solutions and get exactly the right traffic delivered to them, it may be possible to begin preventing a data breach from being fulfilled.

To gain such pre-approved status, the hardware and software that make up such a visibility platform need to offer high levels of performance, resiliency or availability and failover to prevent the potential of ever being a network bottleneck or source of some aberration. In addition, it needs to be managed in an easy, comprehensive way to enable proper controls and monitoring. Security and compliance requirements must be ensured to keep in step with increasingly aggressive and punitive laws and regulations. Management should include rules- and policy-based structures as well as monitoring and reporting.

While it is possible that the individual security solutions could be the source of network risk or mishap, this visibility platform would need to manage those issues to prevent them from affecting network performance. It would effectively serve as a guarantor. Such a supervisory role coupled with inherent reliability and performance could then enable a good level of flexibility so that new or upgraded solutions can be easily added and even proprietary or ad hoc solutions can be deployed without extended deliberations.

Another issue facing both networking and security teams has been tool sprawl. With so many new developments and such quickly changing circumstances, it is understandable that organizations would be eager to deploy the latest technologies or add capabilities to meet their needs. Fragmentation of oversight ore responsibilities across the enterprise—ranging from compliance teams, practice-based security teams, IT decentralization and the proliferation of cloud-based resources—has contributed to tool sprawl as well. Each team wants to serve its own interests and goals. In addition, tool sprawl comes from the natural tendency to throw solutions at a problem in hopes that one will solve it.

Organizations can ill afford to shut the door on new demands to deploy network-based solutions, but at the same time, there must be a way to manage tool sprawl. In particular, tools need a protective measure to keep them accountable to network performance and reliability standards. Again, the idea of an overseer could provide such a level of necessary assurance. In addition, tools need to be coordinated so that they operate in a logical sequence that can be monitored, managed and maintained. Orchestrating tool chaining is becoming essential.

Maintaining network performance and availability is essential. The network is the lifeblood of almost any organization, and without it work and business likely grind to a stop. At the same time, security of data and protecting resources is also essential. Achieving the proper balance between these two somewhat diametrically opposed ideals has been a large, ongoing challenge or conundrum. It’s time to establish a fulcrum between these two ideals that can provide a way to accommodate necessary security solutions with necessary traffic and a place to be located while keeping them in check with networking imperatives.

— Yoram Ehrlich