Application Intelligence Done the Right Way

It’s cliché to restate how dependent organizations have become upon their networks. New network applications are introduced each year that hold the promise of improving organizational efficiency and effectiveness. These applications are increasingly introduced using a Software as a Service (SaaS) model, impacting your network’s internet connection and leaving the local data center. 

As the network traffic at your perimeter skyrockets, the tools which you depend on to guarantee performance and protect the perimeter become rapidly overwhelmed. Networks that were designed to support user demand a year ago may quickly find themselves unable to keep up with the demand of today. As if this weren’t enough, new problems such as lateral movement of threats can cause you to spread your already overwhelmed resources over a much larger area.

Effective use of your network tools means being more deterministic about what network traffic they inspect. An overutilized network tool will often drop traffic when it runs out of resources, but which traffic it drops can often be random. This runs the risk of failing to inspect important transactions, while spending resources inspecting traffic that has little relevance to the organization. 

What you need to do is decide what traffic is important for your tools to inspect, and what can be safely ignored. Fortunately, not all network applications are created equal. 

What Needs My Attention?

A recent study by Google suggests that over 52 percent of internet traffic is some combination of Netflix and YouTube. While this may not reflect what applications use your enterprise network, you can be assured that there is a lot of traffic on the network that is not vital to your organization’s operation.

A security tool that expends 50 percent of its resources looking at high-volume, low-risk traffic is potentially wasting a lot of resources inspecting traffic that will almost never be an attack vector. If you’re using an application performance monitoring (APM) solution, do you really want to be expending resources to ensure good performance of your streaming video, possibly ignoring mission-critical services?

Most network tools have protocols and applications that they support and others that they disregard. Even if a tool discards traffic, it must still inspect the traffic long enough to determine it isn’t of interest. This takes valuable clock cycles, and ultimately impacts the performance or capabilities of your network tool. Filtering unnecessary applications and protocols from your tool will help to extend its capabilities.

For example, an advanced threat detection (ATD) device will have certain applications with which it is interested, and others that can safely be filtered out. For example, ATD devices are primarily interested in applications that could include file downloads, such as web or FTP, but they are rarely interested in email protocols like IMAP or SMTP. They are also interested in applications that could include command and control (C2) traffic, which would also include web, but could include IRC and chat applications as well.

Filtering out irrelevant protocols could remove a large percentage of the load from the ATD device. Removing high-volume, low-risk applications such as trusted streaming media and Windows Update as well could remove half of the traffic currently directed to the device.

Protocol Filtering Isn’t Enough

While filtering at the protocol level can provide some relief, many modern network applications are often all categorized as “web.” If visibility is limited to the network layer, then applications like Facebook will be lumped in with mission-critical applications like Office 365 or Salesforce. It is important to be able to have the granularity to handle mission-critical healthcare, banking, IoT or supervisory control and data acquisition (SCADA) applications differently than casual web browsing. 

It is important to consider each network tool. What applications does it support?  What does it discard? Additionally, you need to take careful inventory of which network applications are most critical to you. What applications are mission critical? Which applications must be prioritized?  Pairing the appropriate applications with the important tools will help optimize your resources.

I’ve Optimized My Tools — Now What? 

It’s important that optimization is not performed for optimization’s sake.  Once valuable resources are freed up, you must now consider how to use those additional resources. After removing 50 percent of the load from your intrusion detection system (IDS), having a less busy IDS is not benefiting your organization in and of itself. The value comes from what you plan to do with the additional resources freed up following optimization.

Now that your perimeter tools have additional capacity, perhaps you could also direct them to inspect traffic entering the data center. Perhaps you could tunnel traffic from that important remote office to extend the reach of your tools into areas that have not benefited from your instrumentation.

Ultimately, your security tools can’t detect what they don’t see. Your APM tools can’t monitor applications that aren’t visible to them. Optimizing your tools will provide you with additional resources that can in turn help you to cover a much larger area of your organization.