Network compromises cannot be detected without visibility into the activities within assets. Network security analysts can view these activities in one of two places (or sometimes both): directly on the device by means of endpoint visibility and in the communications going to and from the device; in other words, on the network. In our earlier blog post on cyber situational awareness (SA) for the enterprise, we discussed endpoint visibility. In this post, we turn our attention to the other component required in monitoring and defending against network compromises, network visibility.

Network Visibility

Network visibility describes the use of observation points on the network to capture data for increased awareness. These observation points allow the monitoring of the communications that occur between hosts and networks without installing clients on endpoints. To achieve network visibility, network administrators must

• evaluate sensor placement
• measure traffic volumes and identify trends
• identify locations of critical assets

Not all attacks can be detected at an endpoint. Some become visible only in network traffic patterns. For some attacks, it is also easier to instrument for inspection of traffic rather than to instrument every individual endpoint. What tools are needed to provide all needed visibility and where they should be placed on the network depend on the network architecture, traffic volumes, and locations of critical assets.

Active and Passive Controls

Network visibility is provided by either active or passive observation. Active observation can influence the communication as well as monitor it, particularly when the network routes traffic through the control. Passive observation, often involving duplication of the traffic to an observation point, can monitor the traffic without interacting with it.

An intrusion prevention system (IPS) is an active control that can identify malicious traffic and terminate communications to mitigate the threat. An intrusion detection system (IDS)--a passive control--acts like an IPS and can alert but cannot interfere with the traffic on the network. Unless it is being proxied by an inline security control, the data observation can happen only indirectly. Traffic that is encrypted or encapsulated will not be visible to a control unless it is configured in some sort of man-in-the-middle or break-and-inspect configuration that terminates the network traffic in the security control and initiates a second connection to complete the communications.

The Limitations of Network Visibility

Network visibility provides information on the data crossing security boundaries. This information implies that visible data includes only that data communicated between endpoints, not within an individual endpoint.

North-south traffic moves between the Internet and the local area network, with northern traffic directed out to the Internet and southern traffic being destined into the enterprise from the Internet. When traffic moves from one network to another without leaving the enterprise, that traffic is described as an east-west flow of data.

Instrumented Internet access points will provide access to the data traversing the security control to and from the Internet, north-south, but will not provide visibility for east-west traffic. East-west traffic can be observed only when it crosses a security domain that has been instrumented. Traffic that does not leave a network segment or a broadcast domain will not be monitored unless all traffic on that network segment is being collected. This collection can be desirable to identify insider threats, but collecting all traffic from a network segment without installing clients on all the machines can require costly effort and expense.

Network visibility will identify which endpoints are communicating with each other and other details related to those communications such as

• protocol dissection--delineating the phases of a protocol instantiating a session or the order of operations for providing or continuing to provide services
• application identification
• application-related source and destination information
• signature matching

However, network visibility will not provide any information about activities on the systems themselves. Most communications between endpoints involve client-server interaction and will not make data-payload information available unless analyzing content through deep-packet inspection.

Deep-packet inspection on all traffic leads to prohibitive costs due to protocol dissection, interpretation, and alert processing. High computational effort comes from dissecting protocols without introducing latency in the network. Further computational effort comes from interpreting the dissected protocol results and producing results. Storing these results leads to additional increased costs. Many organizations deploy deep-packet inspection in a selective fashion, targeting specific network segments or predefined application-header information.

Observing and identifying trends in network traffic help in targeting anomalous activity on the network, but limitations in visibility can hamper these efforts. The lack of visibility on the endpoints can be addressed by looking into the content of the communications or other features of the endpoints such as identity, role, services enabled, and other elements that can enrich the context. Understanding the purpose and function of an endpoint will help when trying to determine if things are not working as intended. The combination of endpoint visibility and network visibility can provide valuable confirmation when the results align, and can flag the need for more investigation when the results differ. Also, the ability to observe data in motion from the network perimeter to the process running on an endpoint can provide validating data to enhance reporting and increase confidence on findings.

In the next installment in this series, we will discuss monitoring and response components--tools that help analyze data, manage data, manage incidents, contextualize incidents, and respond to events.

Additional Resources

FloCon provides a forum for exploring large-scale, next-generation data analytics in support of security operations.

Read the first blog post in this series, Situational Awareness for Cybersecurity: An Introduction.

Read the second blog post in this series, Situational Awareness for Cybersecurity: Assets and Risk.

Read the third blog post in this series, Situational Awareness for Cyber Security: Three Key Principles of Effective Policies and Controls.

Read the fourth blog post in this series, Engineering for Cyber Situational Awareness: Endpoint Visibility.

Read about the SEI's work in network situational awareness.

Read other SEI blog posts about network situational awareness.