This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Most organizations built their network security infrastructure one point solution at a time. They started with a firewall, added anti-virus, and when that wasn't enough they brought in an intrusion prevention system (IPS), added endpoint protection, an intrusion detection system (IDS), a security information and event management (SIEM) system, and perhaps even a user behavioral analytics (UBA) solution.
The siloed layers were added in a disjointed fashion. The tools overlap yet still leave gaps in visibility. Not only is this approach expensive, it also puts a strain on the network as each tool needs to collect all sorts of data to do its job. Some tools need device logs, some need to capture data packets in real-time, and others need to build and monitor profiles for every user and every device on the network.
The end result is a complex security infrastructure that still is not 100% effective in preventing breaches—or at least detecting them at a stage when it's still possible to prevent serious losses or other damage.
To address these issues, Gigamon Inc. offers GigaSECURE, a security delivery platform that provides total visibility of what's happening on the network to security applications. GigaSECURE connects to the network – physical, virtual and cloud – and collects network traffic and delivers it to security applications that use that data to do their thing. The security appliances that connect to GigaSECURE receive a high fidelity stream of relevant traffic from across the infrastructure.
The security tools market is embracing this approach because it gives them easy access to the network data they need and would otherwise have to gather for themselves. Security vendors that partner with Gigamon span all major categories, including IPS, SIEM, web application firewall (WAF), Advanced Threat Prevention solutions, user behavioral analytics and advanced forensics. This, in turn, makes it easier for enterprises to rearchitect their security infrastructure to use GigaSECURE to collect data to feed security tools.
Today the network is the only medium that actually connects an organization's physical, virtual and cloud computing environments with users, devices and applications. By straddling these different areas, the network sees it all—everything that is happening, good or bad. It sees user activity, and anything that is put on the network, including traffic used for command and control activities, for lateral movement of malware, or for exflitration of data.
Because Gigamon solutions are getting tapped all along the network infrastructure, the vendor is in a position to extract metadata that spans these boundaries, and just bolstered its Security Delivery Platform by adding a Metadata Engine. This engine is designed to package this metadata, the company says, in various formats to feed SIEMs and big data security analytics solutions to improve their speed of detection and speed the response to a breach.
The metadata can be packaged as NetFlow/IPFIX records, URL/URI information, SIP request information, HTTP response codes, or DNS queries. In the future the Metadata Engine also will support DHCP queries, certificate information and custom data.
Here are a few examples of how this metadata might be used. The engine captures all URLs that are visited and every HTTP request that goes out to the Internet so the organization can track any kind of activity associated with exfiltration of data, command and control, or the download of malicious software. Gigamon captures HTTP response codes, so if a user goes to a website and it redirects him to a phishing website, a security analyst will want to know why he visited the second website. The redirect information is all present in the network traffic and the HTTP response codes. Gigamon picks up this information, packages it as IPFIX records and distributes it to the security tools for analysis and reporting
Many enterprises are recognizing the value of looking inside their network for signs of cyber threats. They are beginning to use big data systems to analyze events and activities, and this requires access to the right metadata. Gigamon aims to be the provider of the highest fidelity source of network traffic metadata for the security market. This allows the security tool vendors to leave the data gathering and formatting to Gigamon while they focus on algorithms and analytics that pinpoint malicious activity on the network.