The more important the role of IT becomes for the success of a company, the more data is generated and processed, and the more complex – and thus more difficult to keep track of – IT landscapes become, the greater the threat of cybercrime for companies. This is also one reason why many flow-based solutions have placed an increasing focus on security in recent years. Systems originally developed for NetOps are increasingly being used in the security environment. However, this also means that NetOps and SecOps skills are required to make the best use of such tools. Without a deep knowledge of networks and traffic, the efficient use of flow-based tools for security purposes is not possible. In other words, NetOps and SecOps must at least work together – ideally, they should form a team and face new challenges together. Here are five ways that IT teams can optimise an IT network for ITOps and SecOps.
1. Choose the right software
The complexity and scope of many IT environments require proven experts, both for the network and for security. A holistic approach, which would be necessary to exploit synergies and reduce redundancies, requires experienced generalists. Unfortunately, qualified personnel are a scarce and expensive resource. The solution lies in the right software. It is useful to have systems in place that capture, contextualise, and evaluate relevant information across divisions, reveal interrelationships and enable advanced root cause identification. But new software also means increased complexity, additional configuration effort, and additional costs. To keep the negative implications as low as possible, careful evaluation is necessary.
2. Conduct traffic analysis
For both NetOps and SecOps, analysing data flows via flow or packet sniffing is an essential part of their operations. As early as the 1980s, packet sniffing tools such as tcpdump or Wireshark were used to read data packets to monitor traffic, detect and fix problems, identify security threats, and optimise network performance and capacity. In the late 1990s, Deep Packet Inspection (DPI) was developed as a method to examine data packets down to the application level. While packet sniffing only reads packet headers and thus primarily monitors network performance, DPI can also detect hidden malware in a data packet, making it ideal as a security tool.
Also developed in the late 1990s was NetFlow, similar to packet sniffing, it also reads the headers of data packets. However, NetFlow is supported by the respective device (firewall, switch, router) so that, in contrast to packet sniffing, not all data streams to be monitored have to be routed via a mirror port or an external appliance. This avoids bottlenecks in the network, which benefits performance. NetFlow being the first and best-known version, the term is usually used as a proxy for flow-based protocols such as jFlow, sFlow or IPFIX. Even though NetFlow was originally developed primarily as a monitoring method, security aspects also played an important role from the very beginning.
3. Keep track in real-time!
Flow tools can’t do everything. Many other systems are required both for network operation and for maintaining security and the network does not work without the appropriate infrastructure. Storage systems, servers, as well as applications and services must work and cooperate to provide a reliable overall picture. The same components must also be constantly monitored from a security perspective. In this context, it is important to recognise overarching interrelationships: if an unusually high volume of traffic, an increased processor load on a server and perhaps even a rise in temperature in the server rack can be correlated, this may well be an indication of malware. In order to discover such complex correlations, tools are needed that are capable of bringing together all the different systems, evaluating the data and presenting it clearly for NetOps and SecOps.
4. Get the right tools in place
If NetOps and SecOps are to cooperate successfully, they need tools that capture data from disparate systems and integrate other solutions. They also need to alert users as quickly as possible in the event of faults and irregularities and, above all, be easy to use. This role can be filled by overarching IT monitoring tools that can provide responsive basic monitoring while integrating other, more specialised solutions from the network and security domain.
There are two types of solutions which collect and evaluate information from other systems. Firstly, there are analysis tools that collect and evaluate gigantic amounts of data. However, the task of these tools is not so much to identify problems in day-to-day business, but rather to perform in-depth and long-term analyses for sustainable optimisation of IT. Secondly, there are alert management tools that collect alerts and notifications from various systems and pass them on in a targeted manner. Here, the focus is clearly on day-to-day business, but it’s simply a matter of managing the notifications, not correlations between the data obtained from different systems.
5. The importance of collaboration
The increasing complexity of IT systems in large companies has led to the separation of NetOps and SecOps teams, resulting in a limited exchange of information and a lack of coordination. The threat of cybercrime has also increased, making it crucial for these teams to work together and form a collaborative team. The right software is essential to capture, contextualise, and evaluate relevant information across divisions, revealing interrelationships and enabling advanced root cause identification. Traffic analysis using flow-based protocols is a key technique for both NetOps and SecOps, enabling the detection of security threats and the optimization of network performance. To successfully cooperate together, NetOps and SecOps need tools that capture data from disparate systems and integrate other solutions. An overarching IT monitoring tool that provides basic monitoring while integrating other specialised solutions can be the solution to the problem.
