Security, network, and cloud teams can no longer operate in silos. It just isn't efficient or secure.
When an incident arises at your organization, who's responsible? Is it an application error, an end user error, or an attack in progress? Is there a firewall or cloud misconfiguration (like an S3 bucket left open) that has created a vulnerability? You need to quickly understand an event to know if it should be escalated to an incident and which team needs to resolve it.
It's important to look at problems from all angles, as quickly as possible, in order to determine who should respond and how. When teams can't determine who is responsible for an incident, they end up playing the blame game and passing the buck—delaying a resolution and possibly providing attackers with the time they need to breach the network.
1. Remove Silos For Better IT Team Efficiency
Rapid contextualization of data to understand the root cause of an event isn't possible when teams aren't sharing data. If you want to investigate and stop a threat or avoid downtime, you need data fast. If your network, security, and cloud teams are using different tools and are not correlating facts based on the same data, these silos result in longer response times and unsatisfactory outcomes.
Research shows that the integration of IT and security is moving in the right direction. Dark Reading's report, The State of IT Operations and Cybersecurity Operations 2020 showed that the percentage of organizations that loop in the security team at the beginning of every new project increased from 20 percent in 2019 to 29 percent in 2020, and about half of organizations currently involve security early on for all or most projects.
But it's not enough. To truly tackle this problem, IT teams must dramatically increase communication through a common language and experience, which comes from having the same sets of data. At the same time, security operations must work closely with network and DevOps teams in order to support agile, cloud-native workflows.
2. Tackle the Tool Sprawl
You often hear that "complexity is the enemy of security." Organizations are grappling with the fact that the network is no longer an easily defined, easily monitored segment. New solutions have arrived, and cloud and edge computing have created permeability and dynamism that traditional monitoring tools weren't designed to manage.
Network and security teams struggle to keep up. According to a recent SANS report, "Incident responders want more insights into network traffic in the cloud environment for IR, and encrypted traffic is high on the list, but according to our respondents, it is also the hardest to acquire."
The adoption of new security solutions often leads to tool sprawl (as new tools are seen as a necessary evil in order to cover a rapidly expanding environment) and greater operational complexity.
A talk led by Palo Alto Networks at the 2019 RSA Conference cited that, on average, small organizations are using between fifteen and twenty tools, medium-sized businesses are using fifty to sixty, and large organizations or enterprises are using over 130 tools.
Too many tools can increase network and security complexity if not properly integrated and can introduce vulnerabilities—the opposite of their intended purpose. A SANS 2020 Network Visibility and Threat Detection Survey that was commissioned by ExtraHop reported that the majority (68 percent) of respondents expressed a desire to reduce the complexity of their systems by reducing the overall number of tools involved in their operations.
Beyond the complexities of distributed environments that often require multicloud visibility, both security and IT teams now face an increase in IoT and edge devices—a perfect example of why deeper, unified network visibility is so crucial for each team.
3. Improve Visibility Across the Hybrid Network
In order to maintain availability, IT teams need to understand which devices are accessing which resources, whether on-premises or in the cloud, and how they're using those resources. Security teams, on the other hand, must manage the wide array of risks including both known and unmanaged devices on a corporate network.
For all teams, visibility is key. First you need to understand what is connecting to the network. Can you see every device that connects, including unmanaged devices and IoT? Are all the endpoints instrumented with agents? Seeing how devices communicate (and with which systems) in real time is the best way for both teams to keep the business running as usual.
Rethinking how teams communicate can increase security and improve network operations. That's led many ExtraHop customers, like Hill Physicians Medical Group, to invest in cloud-native network detection and response to increase the security and performance of the network.
We weren't surprised that in the 2020 Market Guide for Network Performance Monitoring and Diagnostics, Gartner recommended that "I&O leaders focused on infrastructure, operations and cloud management must:
- Future-proof network monitoring by investing in network performance monitoring and diagnostics tools that provide the required level of visibility in hybrid environments, including edge network and cloud network monitoring.
- Improve alignment with business objectives and their requirements for network visibility and agility by evaluating NPMD solutions that offer business-level analytics and integration with automated workflows.
- Increase alignment between network operations and security operations, by coordinating NPMD procurement decisions with security analytics solutions, including network traffic analytics tools."*
We recommend going one step further. We believe the best way to break down silos, gain visibility over an expanding and permeable environment, and secure a growing business is to rethink the entire concept of network monitoring. The truth is found in your network traffic and by using network data as the foundational source for insight, organizations can eliminate blind spots that have hindered security and IT operations for decades. By using machine learning to understand network data, you gain the context you need to understand normal vs. anomalous behavior. You get to the root cause of an event in minutes instead of hours and can stop a threat before it causes harm. You can diagnose a performance issue before it causes an outage.
Cloud-native network detection and response (NDR) enables security, cloud, and IT teams to gain unified visibility, regardless of the deployment model. When all teams use the network as a data source, organizations improve anomaly detection and can respond to threats in real time. The result is a stronger security posture and vast improvements in operational efficiency and uptime.
To learn how tool selection can help or hinder cross-team collaboration, read the ExtraHop Selection Guide for Network Visibility Tools.