While NetOps and SecOps teams have different responsibilities and corporate mandates, they’re both responsible for the same network and share a common goal – a secure, high-performing network that supports business goals and provides positive user experiences. But despite this commonality, you’ll rarely find these two groups collaborating. As a result, they waste budget buying duplicate tools, which translates into duplicate training and instrumentation, increased overhead on the network, siloed work environments, and much more.
As NetOps teams rely more and more on comprehensive network performance monitoring and diagnostics (NPMD) solutions to gain visibility across multi-vendor, multi-fabric, and multi-cloud environments, there’s an opportunity for SecOps to more closely align and take advantage of the information being monitored by NetOps teams. Here are some ways that can happen:
Sharing Configuration Tools
The same tools that NetOps uses to ensure internal company configuration standards are enforced can also be used by SecOps teams to satisfy PCI DSS Requirement 2.2. This standard requires SecOps to develop configuration standards for all system components that address known security vulnerabilities. If this requirement isn’t met, networks can be left open and vulnerable to attacks. But, with the help of Network Configuration Automation or Policy Based Automation solution used by their NetOps counterparts, SecOps can satisfy this requirement. In addition to inserting rules to check for policy compliance like interface descriptions, name conventions, etc., SecOps can also check for policy compliance for device hardening standards like eliminating default passwords, turning off unneeded services, and more.
Go with the NetFlow
NetFlow allows you to collect information from IP traffic and can be extremely valuable when analyzing traffic flows, determining traffic sources, traffic directions, and how much traffic is being generated. It also helps NetOps understand and manage bandwidth usage, and includes source and destination IP address, source and destination ports, teams TOS, utilization and even application names – all of which can help NetOps better manage and monitor the network for troubleshooting, policy routing verification, and capacity planning. This allows the network team to be more efficient with resources and helps them solve the problem faster, resulting in a better end-user experience.
SecOps can also uses NetFlow data to mine anomalous traffic for intrusion detection and exfiltration. With comprehensive visibility and data from an NPMD solution, these teams can identify any unusual increases in volume or velocity of traffic that could pose possible security threats to the network. This could potentially prevent an attack on the network. Also, understanding the traffic flows can help SecOps to identify any security checks that may need to be enabled. The NetOps team can generally use the same NPMD tools to receive the report on the NetFlow data particularly if predictive analytics are included. But, if for some reason sharing tools is impossible, the teams can use a packet replication system such as Samplicator or some commercial package to send the same NetFlows to multiple systems. That way each team can pick their preferred solution.
The Power of Packets
NetFlow isn’t the only valuable data source for both NetOps and SecOps. Today’s comprehensive NPMD solutions gather another data source that is immensely important to both teams – packet data (to be clear, comprehensive NPMD solutions also gather IPFIX, SNMP, API data, and more). For NetOps, packet capture and analysis provide insight into how the network is performing at a granular level. This helps network engineers identify, isolate, and solve problems faster. SecOps can use this same packet data for comprehensive forensic assessments. For instance, if there was a network breach, SecOps teams could take the packet data collected by an NPMD solution to try and isolate the genesis of the breach. Or there could be an issue with TCP session hangs on some application(s). Using the packet capture, decode, and correlation features of an NPMD system and having it look at multiple packet captures across the packet path, the NetOps and SecOps teams may find a firewall is resetting the TCP connection due to some misconfiguration.
Some Final Features to Consider
Additionally, SecOps can take advantage of network traffic reports generated by NPMD solutions. For example, deep packet inspection reports help SecOps identify vulnerability attacks by protocol, port, and other specific packet signatures. Furthermore, with advanced flow visualizations in NPMD platforms, SecOps can easily see anomalous traffic of unusual velocity and amount, which allows them to spot digital asset exfiltration or other malevolent activity.
NetOps and SecOps are often thought of as “frenemies,” but the reality is they have more in common that one might think. They often rely on the same data sources to ensure network performance and security meet corporate standards. With a little bit of cross-team pollination, both teams can share key data that can help streamline operations and free up resources for other critical infrastructure projects. Are you on a NetOps or SecOps team and sharing information with the other? If so, I’d love to hear about how you’re doing it in the comments below.