Network visibility and Network Detection and Response (NDR) solutions are deployed to collect, view and analyze network activity to detect suspicious and malicious activity on the network. The majority of these solutions are built to move data from a collection point (or sensor) to a central repository for analysis. This approach has several downsides including issues of scale, performance, cost and accuracy (false positives). All of these problems can be overcome by solutions that perform traffic analysis at source in a distributed manner.
Problems with a centralized approach to network security
In a centralized approach, packet sensors connect to the enterprise network to monitor network traffic and send the collected data to a centralized server for analysis. The central server is typically in the cloud but can also be a database and analytics server within the customer premises. The first problem with this approach is that it duplicates the traffic within the network since all collected data must be moved by the central server for analysis. This is costly due to the impact on the network, the size of central database and the cost of analysis.
To overcome the cost of packet data replication, most solutions reduce the data sent to the central server. Instead of sending the full network packet, they send extracted data in the form of metadata or NetFlow. This creates a second problem, where the analysis is working on limited information, which leads to inaccuracy and lack of true forensic information for the security analyst to review when there is a detection of suspicious or malicious traffic. While the reduction of information helps to reduce the cost of the network data transfer, it still requires a large central database and analysis engine, which does not address the cost issue completely. It may work in small networks, but as the enterprise grows to thousands of hosts and many Gigabits of aggregate network data per second, the cost of storing the metadata or NetFlow is significant.
A third problem is how a centralized analysis engine works with network segmentation, micro segmentation and overlapping IP Addresses. Once collected to a central analysis engine, additional information is required, which adds complexity to maintain the system and create accurate analysis.
The solutions that tout a centralized approach speak to the value of an analysis engine that can detect similar problems in multiple locations of the network. However, network analysis is about communication between a client and a server. There is really no value in where the data is analyzed, as long as sensors are deployed at the key collection points.
Due to the cost of the centralized approach, network visibility has usually been deployed only at the edge of the network. This leaves a void for internal network visibility that can detect the actions of compromised hosts after a breach. In fact, according to the Cybersecurity and Infrastructure Security Agency (CISA), one of the top misconfigurations in cybersecurity is insufficient internal network monitoring.
A distributed approach to network security
In a distributed approach, a sensor is placed within the network to collect and analyze network packets to detect threats and malicious activity on the network, just as sensors are required in the centralized approach. However, in this case, the analysis is performed within the sensor, at the source of the collection, and not moved to a central server.
There are several advantages of this approach:
- First, the full packet and network communication can be used for the analysis. It is not limited to metadata or NetFlow, which leads to improved accuracy and much better forensics for security analysts. It also reduces the cost of the solution since there is no need to duplicate the traffic.
- Second, the cost can scale with the growth of the enterprise as sensors can be added as the business grows. In both the centralized and distributed methods, additional sensors are required with growth, however, with a distributed approach, organizations only need to add sensors and not expand the size of the central database to accommodate more hosts and network data. Growth of the enterprise into the cloud can be accommodated in a similar manner.
- Third, since the data is analyzed at the source, complications of network and micro segmentation are handled without the need to add complex configurations, as required by the centralized approach.
While analysis is performed in a distributed manner, these distributed solutions still collect all suspicious and malicious detections in a single server to allow the analysts to work from a single workflow. This collection of detected outcomes is significantly smaller than collecting all data required as the input to the analysis engine. Any benefit claimed for a centralized analysis approach is still achieved by these solutions as the outcomes are collected in a central workflow for security analysts.
Analytics at the source is more authentic
To further unpack the benefits of a distributed approach, IT organizations today can invest in comprehensive solutions for advanced NDR based on scalable Deep Packet Inspection (DPI). This strategy delivers adaptable network instrumentation, extending comprehensive full packet-level visibility at the source across diverse network infrastructures, including on-prem, virtual and hybrid cloud environments.
This robust visibility enabled by a distributed approach is a more authentic way for IT teams to detect threats and enact efficient incident response. That is because analytics at the source investigates the communication directly between a client and a server. Rather than shipping metadata to another source, teams work with full packets instead of extracting limited data and copying it to a cloud-based analysis engine. Because of that, this method of data analysis is more straightforward, resulting in a more truthful and accurate analysis.
This multifaceted, distributed approach to network analytics at the source also enables real-time threat detection using targeted machine learning (ML) techniques. This approach can also use multidimensional threat detection methods such as Indicators of Compromise (IoCs), policies, signatures and detection of specific protocols or applications detection to ensure comprehensive network security coverage.
In the end, to realize comprehensive network protection, IT organizations need to invest in new technologies that offer instant analysis at the source of packet capture. Doing so allows for more thorough and honest detection that minimizes potential network damage. By analyzing full network packets directly, IT organizations can gain comprehensive insight into both legitimate and nefarious network traffic without delays, enabling more accurate threat detection and forensic analysis in real-time. Taking a distributed approach will ultimately enable IT organizations to more accurately identify vulnerabilities and threats, ensuring more robust and scalable network security coverage so organizations can be prepared for future attacks at a moment’s notice.