Monitoring network security has become an increasingly comprehensive task. Thanks to bring-your-own-device (BYOD) policies, administrators must now keep an eye on a greatly expanded number of smartphones and tablet platforms. They’re also faced with a burgeoning tide of devices coming into the network through the Internet of Things (IoT). Temperature sensors and connected motors, refrigeration units and energy management modules—all represent a potential generator of new security traffic alerts and log data.
The sheer volume of security data that must be gathered, analyzed and acted upon is growing every day. It’s a scenario that creates new hurdles and forces administrators to find innovative solutions.
Security monitoring challenges growing alongside enterprise networks
Efforts to successfully scale the security monitoring function are meeting new obstacles. One is the growing use of cloud, with enterprises sometimes supporting multiple flavors of public and private environments that all generate their own sets of security monitoring data. The ever-growing number of endpoints related to IoT also impacts security.
“You’re collecting more data and it’s even more difficult to identify what is actionable and what needs somebody to respond, versus just collecting and logging that data in case you need to do forensic investigation later,” offered Mav Turner, director of security at SolarWinds, by way of example.
The volume of security data added to the system is just one side of the coin. Those devices that comprise the IoT don’t always have the same level of security readiness as conventional user-driven endpoints. This may lead IoT devices to spawn traffic that appears suspicious, triggering even greater security monitoring. These reams of data mean more security logs to slog through and more security triggers to evaluate and process.
The network security landscape looks much different today than it did just a few years ago. Administrators once knew where their territories started and ended. There was a firewall, and there were clearly defined endpoints. “Nowadays, technology has advanced to the point that you have mobile, you have virtual applications, you have virtual machines and you have cloud applications,” said Cris Thomas, strategist at Tenable Network Security. “You no longer have a set, defined network with clearly defined edges for a security admin to take care of. These challenges, he added, are “only going to get worse as time goes on because we have the Internet of Things coming around.” Each time the network edges expand to encompass new locations, new environments and new machines, the volume of security log data clamoring for review grows as well.
“It’s just staggering to see the growth of networks and of network-attached devices,” said Nick Sanders, director of product management at Masergy. Mobile devices, which have finally found acceptance within most enterprise networks, are quickly being joined by wearables. Sanders described it as a “huge influx of devices” that IT groups must now get their arms around.
Just as multiple locations often prompt multiple streams of security log data that must be parsed, the rapid pace of mergers and acquisitions also adds to the security monitoring function. When multiple disparate networks are suddenly thrown into one big, interconnected heap, IT teams are left to sort through how security is happening and what a normal traffic pattern even looks like. “It’s a perpetual engine of complexity that just grows and grows,” Sanders said. It also often means that security monitoring must quickly be applied to locations that previously weren’t even on the radar. Administrators are increasingly finding themselves spending more time combing through security logs and alarms.
Solutions and strategies for scaling security in the IoT era
The risks of having more security data than the IT team can process are real and tangible. In some of recent data breaches in the headlines, enterprises reported receiving alarms and seeing flags in the security logs that were either dismissed as false positives or simply lost in the clamor. To avoid similar issues and make security more scalable, administrators may want to consider a number of potential strategies.
One operational approach Sanders suggested is better user education, which may be useful in keeping the security log data collected to a minimum. “It’s the user that’s the greatest risk,” he explained. In many cases, consumers adopt new technologies because they provide convenience. “They don’t realize what potential harm can come by them,” Sanders said. “Every time your smartphone gets an application update, you run the risk of some new permission being granted to that application.” When those user devices are also accessing the network, each new threat and each suspicious traffic pattern adds to the din of security alerts. “They watch YouTube videos and do social media stuff. They’re downloading movies. Every time that happens, they’re exposing the company to these risks,” Sanders said. An informed user base can play a part in reducing the load on the security monitoring function.
Keep security from bringing the network to its knees
Collecting, analyzing and acting on security log data often requires a lot of horsepower. A strong focus on security has prompted some IT groups to feed a substantial portion of the network’s resources into the security machine. But data volumes lurking inside those security logs will grow, and as the amount of traffic increases, so will the number of events the system flags as suspicious. Administrators must plan to carefully manage resources levels to prevent the security function from starving out the rest of the infrastructure.
Becoming overburdened with security alerts is one potential concern. Enterprises may want to consider a strategy aimed at preventing too many false positives and low-level alarms from overtaking the IT group. This will enable them to be more successful at identifying the alerts that really matter. “A lot of what I talk to customers about is creating specific plans for alert management,” Turner said. “If you can’t see alerts or they’re not actionable, then you’re not doing something about them and you might as well not be getting them.” As the number of connected devices—user-driven as well as those living in the IoT—grows, Turner expects the issues related to alert management to become even more acute.
Automation may be another useful tool in sifting through the growing stream of security data, but Thomas cautioned that it isn’t a panacea. “Automation helps free up resources and it makes things go faster, but the problem with automation is that sometimes you end up with false positives,” he explained. Automation tools may also indicate a problem was fixed when it wasn’t, or they may miss a security risk entirely. Thomas suggested implementing a double-check within the security monitoring process to ensure that automation tools remain accurate. Like a strong alert management program, this strategy may allow the enterprise to scale up without sacrificing the effectiveness of it security monitoring measures.
Photo courtesy of Shutterstock.