You've heard it before. Network infrastructure and operations teams and information security teams are collaborating more than ever. For my research practice, I've started calling this NetSecOps collaboration.
One reason this collaboration is becoming more common is data. The security team needs network traffic data for one reason or another, and it needs the network team's help in acquiring it. Enterprise Management Associates (EMA) recently published research on NetSecOps collaboration, based on a survey of 366 IT professionals. The survey found that the security team's need to analyze network data is causing increased NetSecOps collaboration in 83% of organizations.
Typically, the network team is happy to oblige, but data sharing can be difficult. Nearly 63% of research participants said they struggle with inconsistent and conflicting data across the two groups, and nearly 57% struggle with data-related, cross-team skill gaps.
"The process of sharing data sometimes works well, and sometimes, it doesn't work well because the security team doesn't have a solid idea of what they're asking for," a network architect with a $15 billion retail company said. "They say, 'Show me data from the web servers.' And I have to ask, 'Which web server because we have a lot? And do you want to see web servers in the cloud or the data center?' Sometimes, it's difficult to communicate with them."
How traffic data is shared with security
About half of network teams give security teams direct access to sources of network data, with about 22% providing role-based access and 28% providing administrative access. This enables security teams to get data on their own. Unfortunately, if they don't know exactly what they're looking for and how to find it, they may still need help from the network team.
Thirty percent of network teams set up their systems so that network data is forwarded automatically to security analysis services. This eliminates some of the communication problems associated with the process. Nearly 19% of organizations require the security team to make individual requests for network data from the network team.
Network packet brokers can facilitate this data sharing. These devices sit inline or out of band, where they aggregate either mirrored or production traffic flows, filter the traffic, add metadata to packets and forward specialized packet flows to an individual analysis tool.
Nearly 90% of the IT professionals who participated in the EMA research said network packet brokers are important to facilitate collaboration between network and security teams. Network teams typically operate them, but they can provide security teams with role-based or administrative access, enabling security to forward whatever traffic they want to their tools.
Packet capture hardware is another important nexus for collaboration. Both network and security teams often maintain their own packet capture resources. For instance, a security analysis tool might have its own integrated packet capture resources. The network team might maintain a large packet capture array that collects data from a larger set of network interfaces so it has a richer set of data for analysis.
Thus, even with its own packet capture resources, the security team still needs the network team's assistance in some cases. For this reason, many organizations are looking at consolidating packet capture resources. The EMA research found that 97% of respondents are interested in at least partially consolidating packet capture resources between network and security teams.
How security teams use traffic data
EMA asked research participants to identify what security teams are doing with the traffic data they pull off the network. More than 69% are feeding traffic to network detection and response or network traffic analysis tools, a new class of security monitoring services that do deep analysis of traffic to identify anomalies and threats.
Nearly 58% of security teams need traffic data to help them with an incident response process. They've detected a security problem, and they need answers from traffic data. More than 55% are doing real-time packet payload analysis. For instance, they're looking for malware in packets, or they're looking for sensitive data that's being exfiltrated from the network.
If your organization is trying to improve NetSecOps collaboration, a good place to start is data. Look for ways to make it easier to share high-quality data between groups, especially in a way that can bridge skill gaps between the two groups.