Is the issue security or network, and does it matter?

When there is a connectivity issue, the security staff is often the first people contacted. The general thought for a bad connection is, “It must be the firewall that’s blocking the connection.” However, after spending a day tracing the connection and evaluating the network, it is equally likely to be a networking issue. This begs the question—does it matter that security often has to deal with network issues, or vice versa? The specific type of issue is often unknown until it’s resolved. For the user the primary emphasis is on someone resolving it, and not specifically who the correct contact for resolving it is. Aligning staff to address this common issue makes the most sense.

Analyzing for both security and networking issues can be difficult. Security and network tools have different purposes, and security and network specialists have different skill sets. Whether investigating a malicious event or a network configuration issue, security requires insight into the network, and network people likewise require insight regarding security. So, it is more than simply changing the IT organization. The tools need to change, as well.

Black Cat, White Cat

Deng Xiaoping said, “It doesn’t matter if the cat is white or black; if it catches mice, it’s a good cat.” The point is that it doesn’t matter what you call something, it is still defined by its results.

This returns us to the problem of thinking in terms of something being solely a network or security issue. The typical user is often not sure of, and unconcerned with, the cause of the problem. They just want the issue resolved.

Unfortunately, networking and security specialists each lack insight into the alerts, notifications, and processes of the other. Ultimately, the IT organizational alignment is the one that focuses on resolving the issue, which effectively requires that the organization implement tools that view both network and security in a single application.

Solution-Driven Operations

Issues are categorized as either network or security issues, but only once resolved. Therefore, many operations centers combine network and security functions. However, changing the organizational approach is only half of the solution. The supporting tools also need to change.

There are distinct differences between network and security tools. In order to be effective, security forensics tools must address the application layer. This differs from network diagnostics, which are focused on the transport layer residing below the application layer. Though the logs for network activity are greater, the information in each record is less dense.

This difference in security and networking is also seen in the verbiage used to describe the operations. The term diagnostics is used for networking, while forensics is used in security.

  • Consider the network approach to network diagnostics. Cisco’s NetFlow is the most common flow analysis tool. It was designed in 1996 for network debugging, and has never had vision into application flow. It is used solely to debug the connectivity between systems.
  • Traditionally, security network forensics is related to Security Information Event Management (SIEM), which evolved at about the same time as NetFlow, with early versions appearing around 1998. SIEM collects events from a variety of devices, normalizing the data into a database. The database structure provides correlation through SQL joins, but this limits the scalability of the dataset.
  • Though the need to combine flow and application vision has been clear to IT organizations, commercial products have been slow in filling this gap between security and network analysis needs. This has led to awkward solutions, often using big data log managers to attempt to handle application flow data, an expensive and ill fit.

Big Data Analytics

The prevalent term being used to describe the evolving tools and concepts that cross the boundary between security and network issue resolution is Big Data Analytics (BDA).

The underlying approach is to place all flow data into a big data structure, and then present the heuristic deviation of the flows. However, most of these solutions do not include security events, but instead attempt to independently detect issues using flows. Today, Fluency is the only product that correlates security events with full application flow data in a cost effective manner.

Organizations that have attempted to implement security log-to-big-data tools, like Logstash, will attest to the approach breaking down when flow data is incorporated into the solution. While a big data structure is needed, it is only part of the requirement.

BDA requires a completely new architectural approach, as opposed to the integration of existing tools under a new label. When people attempt to emulate SIEM-like processes, they are quickly confronted with information overload. Statistical analytics is one approach used to overcome the data size-density issue. The objective of analytics is not the production of charts, but a means to present meaningful data without producing endless lists.

Conclusion

Defining two teams, ‘security’ and ‘network,’ makes resolving network connectivity issues inefficient and expensive, because the team contacted first may be incorrect. The answer to this inefficiency is to create a streamlined response, a single entity that resolves the issue. This streamlining requires an integration of both tools and skill sets.

Organizations building network or security operations should consider a holistic approach that alters the operation’s mission to include BDA solutions that shift the paradigm from organization-based to resolution-focused. This means creating the ability to correlate application flow data with log data.

About Fluency

Fluency is a pioneer in big data analytics and flow analysis. Fluency collects, processes, correlates and presents more data than any other network or security tool. This means better vision, faster insight and better operations. The ability to centrally collect all events and logs addresses PCI, HIPAA and FISMA audit compliance. Fluency goes further than just compliance, correlating the relationship between user, asset and event making operations run faster and smoother. Most importantly, Fluency is designed to help resolve problems quickly, regardless of how they are labelled.

photo credit: scheinheilig via photopin (license)