Large organizations doubling down on network monitoring in response to APTs

By joltsik on Wed, 11/09/11 - 11:05am.

How do you detect sophisticated attacks in progress? It isn't easy. Large organizations collect data from a number of sources like log files and NetFlow and then organize and analyze this data using tools like log management and SIEM. Based upon the recently-published ESG Research Report, "U.S. Advanced Persistent Threat Analysis," these tried-and-true security methods are no longer enough.

What's missing? Granular detail about the network -- network behavior, payload analysis, packet analysis, application-layer analysis, network performance, etc. from layers 2 through 7 of the OSI stack.

Here are a few data points from the report which leads me to this conclusion:

1. 68% of organizations depend upon network management tools to determine if they are experiencing a cyber attack. The next closest response was "log file analysis" at 51%.
2. Of those organizations that have created or modified security processes in response to APTs, 52% have, "improved network traffic monitoring for attack patterns or other anomalous behavior."
3. Of those organizations that have purchased new security technologies in response to APTs, 42% purchased network behavior monitoring technologies.

This and other data in the report tell me that large organizations really aren't sure about what's going on in their network. This impacts business operations AND leaves them vulnerable to attack -- a lose-lose if there ever was one.

I have several thoughts about what this means:

1. Cisco is in a very good position to help address the network visibility problem since it owns most of the network. As such, it should investing heavily in network monitoring technologies for security as well as performance.

2. If anyone still needed a reason why RSA purchased NetWitness, here it is.

3. Look for the security industry to pay far closer attention to open source network monitoring tools like Suricata, HTTPry, and Sguil.

4. There is a huge data problem on the horizon and enterprises need to capture, normalize, and store terabytes of data while simultaneously analyzing this data in real-time. SQL databases are no longer a fit here.

5. Network monitoring pure-plays like Compuware, ManageEngine, NetScout, NetQoS, Net Optics, NetScout, and Quest are missing a big opportunity if they don't look long and hard at a network security monitoring play.

6. Monitoring is just the tip of the iceberg. With better data and analytics, CISOs can take automated actions to enforce granular policies.