Network security intelligence offers real-time threat detection and post-event assurance for enterprise networks by analyzing traffic behavior over time and storing conversations for post-event investigations.
Reinforce Threat Prevention Strategies with Network Security Forensics
Recent high-profile network attacks have underscored the need for more robust network security products, specifically technology that analyzes actual network conversations and monitors supporting infrastructure to strengthen existing threat prevention solutions.
Observer accomplishes this by a powerful combination of comprehensive wire data analytics and enriched-flow records that deliver complete visibility into network traffic and supporting infrastructure. With these rich data sources, real-time threat detection and post-event security investigation capabilities are enhanced. Breaches and compromised resources can be quickly identified, and remediation activities begun.
Now, with the release of Observer v18, packet and enriched flow data now coexist in Observer Apex. By compiling Layer 2 to Layer 3 insights into a single enriched flow record, Observer can produce unique, interactive visualizations that illustrate the relationships between User, IP, MAC, and application usage in the network. A NetOps or SecOps user can simply enter a name in the username field and immediately find all devices, interfaces, and applications associated with it. Finding out what’s connected and who’s communicating across your network has never been easier.
Cybersecurity Can Never be Too Strong
Defending complex hybrid IT networks with IoT and remote user devices requires a multifaceted data protection strategy. For example, the network perimeter has never been so expansive and potentially vulnerable. Along with firewalls, IDS, and DLP, effective security solutions must include network security intelligence derived from in-depth knowledge of the network traffic and supporting assets.
NetOps and SecOps should connect to deliver outstanding business value and deliver an exceptional end-user experience for IT stakeholders using these Observer capabilities:
- Global Threat ID with Scope and Impact - Apex supports full access to the power of GigaFlow enriched-flow records. From the Apex Welcome Screen, search by MAC address, IP address, subnet, or launch GigaFlow directly. Updated blacklists continuously check against enriched records over time. Network and security teams can quickly assess whether devices or applications are exhibiting aberrant behavior using this network security solution.
- Advanced Traffic Profiling - Quickly identify anomalous activity and monitor acceptable use through sophisticated traffic profiling included in Observer’s network security protection. Every host and device across the IT environment directly from GigaFlow can be accessed via simple navigation from Apex. Characterize traffic by type, usage, application, and communication activity. Profiles are maintained in real time and then stored with all future network traffic and evaluated against past behavior.
- Security Forensics and Reconstruction - Tight integration with GigaStor means Apex serves as an eyewitness to every network conversation, offering intuitive dashboards with summary information of every transaction over time. It also maintains ready access to individual packets for extended back-in-time investigations of suspicious activity. As a part of an investigation process, traffic can be quickly filtered and shared with third-party security and analysis tools.
Network Security Intelligence – Backstop Threat Prevention Efforts
Firewalls, anti-virus software, IDS, and DLP systems are necessary but no longer enough to achieve robust cyber protection or to obtain detailed evidence necessary for complete resolution and documentation of cyberattacks and IT breaches. Advanced network security solutions delivered by network performance monitoring and diagnostics (NPMD) solutions like Observer act as a 24/7 security camera that monitors every entity in the environment, detecting real-time anomalous behavior and storing network traffic for extended periods for immediate threat identification or post-event analysis.
Captured packet data allows organizations to reconstruct all the traffic, on the network up to and after a network security events to gain context while enriched flow records provide deep insight into the status of every network asset.
Network and Security Teams Converging Operational Model
Complex network environments require close collaboration between SecOps and NetOps teams to maximize service delivery while protecting against escalating security threats. The bridge between these two worlds is the network, traffic and the resources that support it. Observer can be the network security solution that delivers on this future paradigm. Why wait until tomorrow when you can have the network security intelligence you need today?
"Although often separate, NetOps and SecOps teams share the common goal of maintaining secure, high-performance network infrastructures. Infrastructure and operations leaders can leverage shared data and solutions to optimize budgets, avoid duplication of effort and improve the end-user’s experience."
– "Align NetOps and SecOps Tool Objectives With Shared Use Cases" By Gartner analysts Sanjit Ganuli and Lawrence Orans, July 24, 2018
How can network security services help you get visibility into your network in the event of a breach?
When there’s an incident, the first thing the SecOps team is tasked to do is to find all the information they can about an IP address. Traditionally this involves asking the NetOps team to send over pcap files and this might take a long time.
With the Observer network security solution, we aggregate those network insights for you, proactively—that is, before the breach happens.
The Observer application gives SecOps teams visibility into their network by interrogating the network’s devices, and not just routers, switches, and firewalls. We go a step further and talk to your proxy servers, load balancers, and even SD-WAN controllers to fully protect your network.
We ask these devices the following questions:
- Have you seen this IP address?
- What decisions have you made with this IP address?
- How did you make that decision?
Observer goes into the ARP table to get MAC addresses corresponding to the devices in the network. We find user IDs from Authentication Domains, NetFlow, jFlow, IPFix and distill that information.
How can the Observer platform complement the other solutions in your suite?
The Observer application gives SecOps and NetOps teams layer 2 and layer 3 network visibility to existing security workflows by interrogating the devices in the network.
We answer the critical questions of a) What’s connected?, and b) What’s communicating. We then stitch together this information – MAC addresses, userIDs, IP addresses, and more—and compile them into interactive, intuitive workflows that let you navigate between these relationships.
What immediate business impact can Observer’s network security solution provide you with?
- We can provide NetOps and SecOps teams with quicker, more accurate threat detection due to more complete forensic data
- We can reduce the number of false positives with the more complete picture provided by Observer’s network visibility
- We can foster collaboration between NetOps and SecOps teams, delivering increased efficiencies between them.
- We can streamline root cause analysis, especially when it comes to pinpointing why an application is not performing accurately
- We can help NetOps teams resolve subjective end-user complaints
- We can mitigate risk factors involved with the deploying of major IT initiatives
What is the power of having a flow-based network security solution?
Many flow-based solutions claim to play in the security arena by providing a few “security reports.” Our product bridges and fills the gap between NetOps and SecOps with views designed SPECIFICALLY for SecOps specialists.
Observer provides automated detection of suspicious and malicious behaviors leveraging multiple techniques and aggregates these techniques into an integrated threat map.
- IP Blacklisting: Observer continuously updates pre-configured and custom blacklists.
- SYN Forensics: Observer can alert on suspicious volumes and patterns of SYN-only flow records, often associated with network and port sweeps.
- Traffic Profiling: A core capability of Observer to use the enriched-flow records to build a traffic profile of devices on the network. Profiles are maintained in real-time with all future network-generated device traffic evaluated against past behavior for unusual or anomalous activity.
Common network security solutions concerns
You may have some questions regarding the application of enriched flow in your network infrastructure. Here are some ways that Observer can help you by addressing these network security software concerns.
- My devices are not capable of sending flow data…
Observer can parse log data to produce enriched-flow records that function just like flow data - The most prevalent flow sources don’t have performance data…
Observer applies advanced analysis functions to produce response time data from flows as part of the enriched flow - Flow vendors aggregate and de-dup, so the forensic value is minimal…
Observer offers “full-flow forensics” - ensuring that every flow is retained and available for the most detailed analysis. Because of this archiving capability, Observer can help with any retroactive reporting associated with an incident, powered by full-fidelity forensics.
How is Observer’s flow-based solution different from other flow-based network security monitoring software?
Traditional flow-based network security solutions aggregate flow from only some network infrastructure devices. We take this a step further and compile user sources from domain servers and authentication servers, SNMP, MAC addresses from ARP tables, and even cloud sources like AWS and Microsoft Azure.
When coupled with VIAVI Observer’s third-party validated wire data capture solution, GigaStor, an organization can give themselves the most complete picture of their network: true network visibility.
What are some key differentiators of VIAVI Observer’s network security software and performance solutions?
- End-User Experience Scoring
VIAVI leverages machine learning to identify an issue and automatically isolate the problem domain in seconds. In three clicks, users can go from higher-level dashboards all the way down to network conversations, or wire data transactions, effectively streamlining root cause analysis and reducing mean time to resolution (MTTR).
This can be helpful in a security setting because a low end-user experience score can be indicative of a Denial of Service attack, which can also be detected by other tools within Observer’s network security software.
- Enriched-Flow Records
Having visibility into your network is a critical component of any network security software, and one of the most long-lasting, traditional pieces of network data is flow. Observer transforms traditional flow by stitching enriched-flow records that compile flow, SNMP, user identity, and session syslogs all together in one single “record.” These Layer 2 and Layer 3 insights, when aggregated yield unique, accessible visualizations, such as the IP Viewer. These interactive visualizations and reports allow customer to drill as far as they want into IP to MAC to User relationships, interface and device type information, traffic control, quality of service marking, and more.
- Integrated Threat Map
An integrated threat map accessible straight from Observer Apex provides visual ways to detect and monitor rogue activity. IP blacklisting, advanced traffic profiling going beyond basic whitelisting, and SYN Forensics.
- Third-Party Validated Data Capture
The VIAVI third-party validated wire data capture delivers from the GigaStor component of the Observer platform delivers industry leading stream-to-disk speeds and metadata production to give an organization complete packet forensic visibility into all network activity. This allows a SecOps user to drill into the packet level network conversations, in the event of any breach. When coupled with flow-based analysis, NetOps and SecOps teams alike can benefit from a near complete picture of their network.
- Single Interface with Apex
Traditionally, it can be difficult for SecOps teams to be granted timely visibility into the network, be it due to organizational silos regarding tool use or because it simply takes time to find the relevant network data. With Observer Apex, SecOps and NetOps teams alike can use the same interface to solve network security and performance related issues.
- The Power of Flow and Packets Combined
By combining the power of wire data capture with GigaStor and flow-based analysis and archiving with GigaFlow, Observer is able to provide you with information from the data center as well as the hypothetical router at the edge of the network to paint the full picture. The ability to store enriched-flow records in the form of full-fidelity forensics and the retention capabilities of network conversation data from GigaStor means that SecOps teams and NetOps teams can retroactively go back and drill into any transaction in the network. This gives SecOps and NetOps teams true network visibility.
Additional resources:
