Friday, January 17, 2014

Shrinking the Rack

It will come as no surprise that most enterprise security organizations are perpetually understaffed and resource constrained. This is especially true with regard to the resources required to deploy, maintain, and use enterprise security technology. Because of this, choosing which security technologies to deploy is an important decision that has many ramifications and consequences. This blog posting explores the concept of collecting fewer data sources of higher value, rather than a larger number of data sources of lower value. In effect, "shrinking the rack" of network instrumentation equipment without adversely affecting visibility, monitoring, and operations.

Most enterprises instrument their network to collect highly specialized forms of data. For example, an organization may have a netflow collector, a DNS tap, and a variety of other technologies to collect highly specialized forms of data. This creates a stream of various different data types and formats that complicates and clouds the operational workflow. I note this as an observation and do not mean it to be critical. Having worked on the operational side for over a decade, I understand quite well that for historical and other reasons, enterprises have had to make difficult choices to meet operational needs under less than ideal conditions. What I am suggesting is that as equipment comes to end of life, as priorities change, and as the threat landscape evolves, enterprises take a second look at what goes into their network instrumentation and monitoring rack.

In addition to the variety and complexity of specialized forms of data, the volume of data confronting enterprises these days is also overwhelming. So, this adds huge quantities of data to the already complicated operational security workflow. This perfect storm of circumstances creates a very real big data challenge.

Let's consider a unified, consolidated approach provided by PCAP data and its associated meta-data. Full packet capture (PCAP) records all traffic transiting the network. The meta-data that can be parsed out of both layer 4 (network layer) and layer 7 (application layer) provides an incredibly rich data source for the big data challenge. This rich meta-data also includes the specialized data forms often collected within enterprises. For example, if we look at the data obtained from the DNS tap example, we see that it is functionally the same as the DNS protocol meta-data parsed out of PCAP data. The potential this provides for simplification, streamlining, and optimization of workflow and operations is incredible.

We live in a world that seems to get increasingly more complex. Those of us that work in the security operations field feel this on a daily basis. Shrinking the rack allows us to simplify, optimize, and reduce complexity within our environments without sacrificing visibility and functionality. As you think about replacing, upgrading, or modifying your network instrumentation equipment, it may be helpful to consider shrinking the rack. Sometimes, less is more.

No comments:

Post a Comment