Network Visibility and its impact on Overall Enterprise Security
DarkSniper White Paper
July 22, 2021
Enterprises care utmost of their security posture as it has high influence on their overall business continuity and market reputation. As such, enterprises tries their best to maintain high security measures by adopting various frameworks, policies, solutions, tools, to name few.
Examining the security dilemma in more depth with the purpose to figure out what are the main drivers to attain high security postures reveals that having full network visibility signifies where the enterprise is actually standing and what their security level is.
What field experts says about this dilemma?
DarkSniper White Paper
July 22, 2021
According to 2020 SANS Network Visibility and Threat Detection Survey realized by SANS
Institute1
reveals that 57% of survey participants believe that lack of network visibility poses
a high risk or very high risk to their business operations.
The survey shows that only 38% of respondents
says that they have high or very high confidence
to discover all of the devices connected to their
network and this tracking their healthy status.
This outcome is a bit scary as it clearly shows that
most of the organizations do not have a full clue
of their network, which directly impacted their
security postures putting a high potential of being
at risk.
Situation get even worse when we examine
visibility in term of communication flow, external
to internal (north-south traffic) and within network communications (east-west traffic).
Only 17% of respondents have high visibility into their east-west traffic. This reveals that
enterprises have low visibility of their internal communication flow and thus leaving rooms
for security breach and threat originated from internal sources. Lack of visibility of internal
traffic flow can be reason and better explain of the fact that majority of breach and threats
are from within enterprise network (need figure). Such result give a red signal of having
high risk and the need to strengthen security within this area.
Having low confidence of network visibility by majority of respondents lead to another
expected consequence; being a victim of security breach or threats.
As shown on opposite chart, more than 64%
of respondents confirmed being affected by at
least one successful attack within the last
year.
This gives a clear implication that by not
having a full visibility of your network, you are
left with high tendency of being affected by
an attack or breach.
How DarkSniper Achieve Good Level of Visibility
DarkSniper focus more on getting full picture of the network in order to attain high level of visibility. It give high attention to the internal communication (east-west traffic) with the objective to give a clear and in-depth insight. To this end, DarkSniper collect logs from different network components (access switches, core switches, firewalls, web proxies, servers, etc.) and analyze them artificially and intelligently. It will contain of three main parts:
• Log Collectors
• Sensors
• Main Appliance/Brain
Sensors will be deployed across the network in order to collect logs from specific network
and then forwarded that to the main Log collectors. It could be not needed for small
networks and limited network IPs. However, Sensors could be separated to different
purposes based on the complexity of the network. For example, one sensor for web
servers/proxies, one for DMX zones, other could be for firewalls, or for organization
branches.
Log collectors will be a centralized appliance to store all logs for further processing and
analysis. These appliances should have a clear structure for storing huge volumes of logs and
it could be split based on the different domains (Firewall, Switch, VPN, etc.) for faster search
and correlate later on.
The third appliance is the main one where it will be responsible for the following roles:
• The only way to interact with the Log Appliance.
• Full and interactive dashboard for security analyst.
• An API/interface to Firewalls, Core/Access switches for blocking or enabling access
to IPs/Hostnames.
• A configuration interface to configure all necessary setting for the appliance or
network components
DarkSniper Dashboard built with Visibility-Oriented Approach
DarkSniper Dashboard
To make it easy for top management and security professionals, DarkSniper has been built around the concept of simplifying monitoring and management through development of interactive dashboard, which brings all details and shows relevant information in a graphic presentation for easy tracking and interpretations.
The dashboard provide quick summarized statistics that makes it easy and straight forward to drive insights from within. It provide various summaries with regard to network traffic in a preset duration, top threat types with high occurrence rates, top incidents, ports status, top assets at risk, top blocked IPs, among many more.