Detection vs. Protection: Painting a Complete Picture of Your Security Position with Unified NPM

Alex Chartres (guest blogger)
  • By Alex Chartres (guest blogger)
  • 02-Aug-2021
  • 1 Comment

I’ve spent 20 years trying to help people understand IT problems (and solutions) and to dispel confusion. I really enjoy finding new ways to map IT to the physical world and analogies that turn on that lightbulb in people’s minds. My favorite analogy today is describing how network visibility is a huge part of ensuring cybersecurity for your business.

First, we need to clear up one thing. The way we approach security needs to change from WHEN, not IF, your network and data will be attacked. We have seen a huge rise in ransomware attacks. We have also seen major supply chain attacks. What does this tell us? Even if you follow the best security principles and have excellent perimeter security solutions in place—you are still at risk. If you download a digitally-signed, verified software patch that happens to contain malware, the attackers are in. There isn’t much your perimeter security tools can do to help. You have effectively, if unwittingly, opened the door to the attack.

Now that attackers are in the network, how do we know they are there and what they are doing? Here is my analogy: think of an art gallery with priceless works hanging on the walls. The gallery has:

  • An outer wall or fence (firewalls)
  • External doors (controlled internet connectivity)
  • Security personnel at each entry point (IPS/IDS systems)
  • Internal doors that permit or deny entry to secure areas (application security)
  • Cameras (particularly around high-value items), and
  • Sensors that detect motion, pressure, etc.

The gallery is designed to have people come and go as they please, with the perimeter security teams checking visitors for potential risks (bag searches, etc.) and tracking their arrival (logbooks, camera systems, etc.). Vehicles arriving at the loading bay will undergo additional checks on arrival and departure.

Security Guard and Visitors at Art Gallery

Security Guard and Visitors at Art Gallery

It is normal and expected to have people standing a few feet from a Van Gogh masterpiece at 3pm on a Thursday and the museum security will not be alerted by that. However, if someone were detected in the same place at 2am on a Sunday morning, this would raise the alarm as abnormal behavior.

If someone got into the gallery and removed an item from the wall, we would spot it is missing the following day by noticing the gap in the exhibition. But what if the intruder stole a second item, swapping it with a forgery? There would be no gap on the wall to alert us. A gallery would have lots of cameras though, revealing the intruders’ actions.

Back to the world of IT…

If we assume that the perimeter security solutions merely make it harder to access the network and that we are going to be attacked, understanding the attackers’ actions within the network is crucial to both detecting the damage and preparing a recovery plan.

The sensors and the cameras are the equivalent of Network Performance Management (NPM) tools, alerting us to unusual activity (the 2am Sunday moment) on the network and telling us where people have been and what they have been doing (the forgery swap). It’s like having a recording so you can play back the whole incident.

If we think of a scene in a film where thieves move acrobatically between laser beams across a room, the sensors and the cameras in the room are there to detect the activity, not stop the heist. You could easily walk past the cameras and through the beams, take the painting off the wall and walk out again. NPM is the same—it is not a security tool, it does not stop the attack, but it does alert you when abnormal behavior occurs.

IT security threats come in all shapes and sizes, and there are attacks that you can’t really protect against, such as state-sponsored activity. Others are just hard to secure against.

You have users on the network (just like a gallery has staff and visitors) and you expect them to be there—in fact, you want them to come in! They need to access systems and data to do their jobs. Hopefully, you have security tools in place to check the identity of the users and allow them access to the right places (applications and data).

What if a user, who has legitimate access to a system, starts to engage in malicious activity? Would your perimeter security tools detect this? Perhaps not. However, because NPM understands normal behavior on the network, it can alert you to abnormal behavior, too. Perhaps, the user usually transfers a few hundred MBs a day, in the office, between 9 and 5, Monday to Friday. But suddenly, they access 10GB on a Sunday afternoon from home. What are they doing with this data? Perhaps it’s nothing, just a mistake, or maybe they are going to sell it to a competitor or take it to a new company? Either way, it is an anomaly that needs to be investigated.

As a final thought, if you are subject to ransomware attacks and systems are encrypted and data is stolen, you have to report the breach to the relevant authorities and may be exposed to significant fines. These attacks are typically two-fold now: 1) pay to get access to the data and 2) pay to stop the stolen payload from being released to the public. You need to know exactly where the attackers went and what they did, and this may help you make the decision on whether to pay the ransom or not.

In summary, security threats are going to happen. Attacks come in a range of types and traditional security measures may not protect you. To better prepare for the inevitable, it’s vital you have complete visibility of all activity on the network to detect rogue behavior and enable a quick recovery. And, as an added benefit, NPM tools (as a primary function) also track the performance of applications on the network helping to give your users the best possible performance.

Unified NPM from Riverbed

Networks are mission-critical to business success. Digital businesses need secure, reliable networks more than ever before. But, with today’s hybrid cloud architectures, maintaining a high-performing and secure network requires a broad view across IT domains.

Relying on a hodgepodge of narrowly focused, siloed performance monitoring tools does not provide the breadth and depth needed to diagnose complex network performance problems. Riverbed’s Unified NPM gathers all packets, all flows, all device metrics—all the time. The solution maintains visibility across all environments, on-premises and cloud, to enable business-centric views across all your domains. It also integrates with end-user experience and application performance monitoring so that you can understand the impact of network performance on critical business initiatives.

Identify, remediate and protect against cybersecurity threats

Today’s enterprises, with modern applications migrating from the data centre to cloud and SaaS platforms, are facing an uphill battle when it comes to cybersecurity. Despite heightened awareness, high-profile breaches continue to occur at alarming rates.

In order to quickly diagnose and respond to a full range of attacks, IT teams need visibility to identify threats of all shapes and sizes, from campus to cloud. Riverbed’s full-fidelity network security solution provides essential visibility and empowers users with fast, secure connectivity to the resources they depend on for business execution. The results: stronger security and better business performance.



1 Response to “Detection vs. Protection: Painting a Complete Picture of Your Security Position with Unified NPM”

Leave a Reply

Your email address will not be published. Required fields are marked *

Sam Rowan 20-Sep-2021 at 1:09 am

Great article with a great analogy.

Thanks Alex.