Thursday, July 18

Must-have options in a very fashionable network security design

Form factors and use cases area unit ever-changing, thus network security should be a lot of comprehensive, intelligent, and responsive than ever before.

Early in my sophisticated career, Sun Microsystems was thought of as a computing visionary. Sun coined AN intriguing company’s line early on: “The network is that the laptop.” What did that mean? It meant IT infrastructure was joined along in a very loosely-coupled design, tied along via networking technologies like local area network cables and therefore the TCP/IP protocol. Thus, it absolutely was vital to engineer the network properly to maximise network handiness, performance, and business edges.

Yes, things have modified since the first Nineteen Nineties. Some networks board the cloud, some area unit virtual, and a few consider application-to-application connections, however networks still connect IT systems along in a technique or another.

Modern network security
Amidst this transformation, network security has had to vary with the days. In my humble opinion, fashionable network security should support:

End-to-end coverage. Perimeter security inspecting ingress/egress traffic isn’t any longer enough. fashionable network security controls should be instrumented into all network segments for examination of east/west traffic, network communications within the cloud, and network communications from remote employees to package as a service (SaaS) applications wherever the traffic ne’er touches the company network. In alternative words, all network traffic ought to be inspected.
Encryption/decryption capabilities throughout. consistent with ESG analysis, fifty to hour of all network traffic is encrypted nowadays, and this can solely increase within the future. (Note: i’m AN ESG worker.) which means a comprehensive network security design should embrace the flexibility to decode and examine traffic at a mess of management points. fashionable network security technologies ought to even be able to observe suspicious traffic while not the necessity for coding all told cases. This capability is already enclosed in offerings like Cisco Encrypted Traffic Analytics (ETA) and complete solutions from vendors like Barac.io.
Business-centric segmentation. Reducing the attack surface ought to be a primary demand for all fashionable network security technologies. This equates to 2 capabilities: 1) Segmenting east/west traffic between application tiers, and 2) implementing software-defined perimeter network segmentation rules between users/devices and network-based services. These capabilities area unit typically mistily remarked as “zero-trust.”
A central management plane and distributed social control. This one could be a “must-have.” All network security controls (i.e. physical, virtual, cloud-based) should report into a typical management plane for management activities (i.e. configuration management, policy management, modification management, etc.). The central management plane can seemingly be cloud-based, thus CISOs ought to prepare risk-averse auditors and business managers for this transformation. Armed with directions from central command and management, network security systems should be instrumented to dam malicious traffic and enforce policies despite their location or kind issue. Note that whereas each network security vender can pitch its own central management service, third-party package suppliers like FireMon, Skybox, and Tufin might play a job here.
Comprehensive watching and analytics. because the recent security byword goes, “the network doesn’t lie.” Since all cyber attacks use network communications as a part of their kill chain, security analysts should have access to end-to-end network traffic analysis (NTA) up and down all layers of the OSI stack. the simplest NTA tools can supplement basic traffic watching with detection rules, heuristics, scripting languages, and machine learning that may facilitate analysts observe unknown threats and map malicious activities into the MITRE ATT&CK framework. CISOs should solid a good internet, as there area unit a lot of robust solutions to decide on from pure-play startups (i.e. Bricata, Corelight, DarkTrace, IronNet, Vectra Networks, etc.), networking consultants (i.e. Cisco, ExtraHop, NETSCOUT, etc.), and network security vendors (i.e. Fidelis, FireEye, Lastline, HPE, etc.). Caveat Emptor!
Network security technologies should support granular policies and rules, subject to immediate alteration based mostly upon changes in things like user location, network configuration, or new discovered threats/vulnerabilities. Organizations should have the flexibility to spin up/spin down or modification network security services whenever and where they’re required. fashionable network security controls should be able to accommodate web of things (IoT) devices and protocols with constant kinds of robust policies and social control as they provide for traditional in operation systems. Finally, network security architectures should be designed around simply accessed genus Apis for fast integration.

Sun Microsystems is long gone (now a part of Oracle, by the way) however networks area unit still critically necessary despite their kind issue. a contemporary network security design can’t solely shield all network traffic however additionally facilitate organizations decrease the attack surface, improve threat detection/response, and facilitate mitigate cyber risk. That’s spoken language a great deal.