East-West Visibility: Seeing the Peripheral Threats
April 16, 2015
East-west visibility refers to the ability to see traffic or malicious activity that is contained within your network. After an internal or external attacker has gained access to your network, seeing, detecting and tracking their actions is paramount to reducing the likelihood of exfiltration of data. The need to gain visibility has become apparent as traditional defenses alone are unable to keep pace with attackers. From phishing emails to zero-day exploits on your perimeter, attackers are looking for ways to breach the traditional defenses and move from east to west in your organization.
Home alarm companies recommend the same methodology and encourage customers to install a motion detector inside their home. This allows for detection if perimeter defenses (door and window alarms) are bypassed. For a better understanding of east-west visibility and how your organization can benefit, a foundational understanding of the technologies available in the market is required.
Network tools that detect east-west traffic are separated into three primary categories; bump-in-the wire inspection, firewall and flow. Each with distinct use cases and advantages, organizations use these technologies provide a view into systems to identify internal threats traversing the network.
Bump-in-the wire inspection based technologies are considered your traditional intrusion detection (IDS) or prevention (IPS) devices. As these devices are deployed in strategic locations throughout your network, visibility is gained based on the signatures enabled. In-line devices have the ability to block malicious traffic as it traverses your network and both IDS and IPS devices are capable of inspecting asymmetric traffic flows. As the technology has matured, the term “next generation” (NG) has been added to several solutions. NGIDS/NGIPS provide additional capabilities based on an understanding of application, identity and behavior. However, these devices are limited by tuning and the signatures available within the solution.
While traditionally used for network segmentation, firewalls now have the ability to enable basic IDS/IPS functionality through the use of next generation features. It should be noted that there is a distinct difference between the feature sets in NGFW and NGIPS. NGFWs have capabilities such as the ability to act as a traditional firewall and the ability to perform network address translation. When an organization seeks to gain an enhanced level of visibility through the deployment of either solution, network design and use cases should be researched to make the appropriate choice. While both solutions provide an additional level of protection through the use of application visibility and blocking, these devices have similar limitations, as signatures are required to block malicious traffic.
Flow based technologies are becoming more popular today due to the amount of information that can be gained. These technologies are often utilized by network and performance monitoring teams in addition to security, creating a strong value proposition for the organization. Seeing more traffic than tap or firewall technologies, this technology is unable to provide blocking and is generally considered a visibility tool. With many popular SIEM solutions now accepting flows, this data can be used to augment detection capabilities as well.
As industry needs have shifted, we have begun to see a focus on providing analytics on endpoint devices and less of a focus on technologies such as anti-virus. Endpoint technologies providing east-west visibility correlate a local device’s network, file and memory activity against other devices on the network, to provide a method of following the attack chain between devices. Files can be seen traversing the network and traced back to originating sources. Providing a highly detailed view of the enterprise, these solutions require endpoint agents and often compete with budget against traditional anti-virus technologies.
Some endpoint solutions position themselves to be hybrid devices due to their ability to see and correlate network traffic with data from the endpoint. This occurs through the deployment of a framework that consists of endpoint and network based technologies. While some manufacturers provide both endpoint and network technologies, others have formed partnerships with existing network solutions. Leveraging partnerships, cost can be reduced in environments that have existing network solutions in place. Providing all the features of endpoint and network solutions, hybrid solutions can be an excellent fit for organizations looking to move towards a framework model to gain east-west visibility.
Gaining east-west visibility should be considered a strategy conversation and not approached as if purchasing a single point solution. Each organization will encounter different architectural challenges and considerations that will impact the success of the solution. In my second post of this series we will discuss virtualization, common use cases, considerations and architecture.