Know What’s Really Happening on Your Network
“If I’m watching all my hosts, am I good?” When I’ve been asked this question, one word stands out to me — all.
Trying to understand every endpoint— think smartphones, tablets, printers, you name it — is what I refer to as the “unknown unknown” problem. You may know what endpoints report back on the network. You may know what endpoints once did report back, but no longer do. But what about the endpoints that were never audited? Or how about new endpoints being connected and authenticated?
Unless you’re very disciplined and have a process to authenticate devices as they move to more secure network segments — and you do a good job of naming — you may very well have systems and users on the network that are accessing resources that you’re unaware of. In other words, it’s tough to be sure that it’s “all good.”
Watching All
So how do you watch all?
To start, and if you haven’t already, I suggest reading Google’s BeyondCorp: A New Approach to Enterprise Security, as well as checking out Duo’s BeyondCorp product. The two will provide background on taking a new and different approach to network security. However, even with more sophisticated models like these for endpoint management, it’s still necessary to consider that the proliferation of endpoints is astounding. For example, by 2021, the number of global smartphone users is predicted to exceed 2 billion.
Combine that proliferation with the flux and churn of employees, new SaaS/PaaS products, microservices connecting to data lakes, and the speed and volume of data. . . and you’ve got a world of system change that often outpaces the ability of all but the most disciplined, sophisticated organizations to keep up.
Understanding the Unknown Unknown
So how can you begin to understand everything connected to your network and, more importantly, how can you begin to understand and address the unknown unknown issue?
The answer is the network — it is the most convenient source of truth. Every system is going to consume network resources of one sort or another. So start there. Have a look at your core access layer and, if you’re not closer to the distribution layer of switches, add taps. Get as close as you can to the leaf switches and tap them. If you have segments without visibility, add a tap point to an uplink.
From here, you can gather NetFlow and metadata — remember, Gigamon can generate unfiltered metadata — and feed that to tools like Splunk or Plixer. Or, write a quick program to look at source and destination IPs, put them in a simple database, and use NetFlow to see what ports they are connecting to and what’s connecting to them. In no time, you’ll have mapped out the domain controllers, SMTP systems and internal tool machines.
While still not 100 percent situational awareness, it’s a good start. With Gigamon metadata, you can send SSL certificates and see who signed them and what algorithm was negotiated. You can even write a simple alert that will send when an SSL certificate is going to expire. An operational nice-to-have, this helps ensure that users won’t experience any service disruption due to invalid certificates.
If you get close enough to the endpoints and you’re thoughtful about what you collect, you can begin to compare your known hosts and what you think you see to what is truly happening on the network.