When we talk about the need for a comprehensive security approach to network monitoring, what we’re really stressing is the importance of a strong relationship between network performance monitoring (NPM) and security monitoring (SM). In fact, the most secure networks implement a risk management strategy to include both NPM and SM because of their similar features. For example, NPM and SM both use key performance indicators (KPI) as a benchmark to provide us with key information that is essential to network performance. Furthermore, NPM’s can provide valuable KPIs to ensure that network and applications meet the required Service Level Agreements (SLAs). Similarly, security monitoring also uses the same KPIs to identify any suspicious activities before they occur. This is the power of integration between NPM and SM.
Gartner’s report states that “network operations and security operations share the common goal of maintaining secure, high-performance network infrastructures.” cPacket Networks recognizes and values the importance of aligning these objectives. In fact, our customers have reaped the benefits of deploying our cClear NPM solution because it provides them with accurate information to make informed decisions based on reliable data. Furthermore, customers benefit from a reduction in cost as well as security control of their networks.
In June of 2017, cPacket Networks announced its integration with Cisco’s Firepower solution to provide an ‘Event 360’ . Let’s discuss the partnership in further detail.
For those of who you unfamiliar with Heartbleed, this is a high level and dangerous security bug that targets a vulnerability in the Open-SSL Crypto library. The result can be disastrous: imagine the catastrophe as millions of private keys, user’s sessions, and passwords are compromised, not to mention the financial damage (we’re talking millions of dollars) that is left after the event has occurred. With Cisco’s Firepower (FMC, NGIPS) security infrastructure deployed in the network, any malicious attempt sends an alert to the Firepower Management Console (FMC). The identification of any security event occurs within milliseconds, as seen in Figure 1. This constitutes the Event Context. The alert contains the standard 5-tuple – source and destination IPs and ports, as well as the name of the protocol. However, it’s important to note that the 5-tuple is incapable of performing a complete analysis of the event.
Figure 1: The beginning: Event Context
For Security Operations (SecOps) to dig deeper into the true nature of the event and determine why it has occurred, they need to obtain relevant data that includes: end point devices that were active during the event, protocols that were running at that time, their relative bandwidth utilizations, as well as determining the exact packet(s) that created the security event. Some of you might be thinking, how can SecOps retrieve all that data? The answer lies in the Immediate Context, seen below in Figure 2, which has a time window measured in seconds, to provide an accurate method of performing a raw packet capture. In addition, assuming the payload is not encrypted, you can also examine the payload to facilitate a deeper analysis of the issue. Now we’re getting closer, right? Not quite. Even though this is valuable information, it’s still incomplete. For example, the data might not provide enough detail to fully understand the true nature of the problem and/or the extent of damage that has occurred. At this point, I’m sure some of you might be speculating if there is an end solution. Not to worry, we’ve got that covered in the next feature: Network Context.
Figure 2 : The middle: Immediate Context and Event Context
It’s imperative to note that timing is the underlying issue with respect to security events. For example, some events present early warning signs that may have occurred several minutes to several hours earlier. In most cases, these events get detected after the fact when damage has already occurred. Examples include: short-lived ‘under the radar’ events, low bandwidth access attempt to connect to a ‘retired’ server IP, events using bursts and micro-bursts to mask an attack on a different part of the network, as well as a full-blown botnet DoS/DDoS attack that can comprise the entire health of the network. Providing NPM KPIs on a per segment basis can help SecOps obtain the Network Context they need to address any questions seen in Figure 3 below. In sum, the most comprehensive solution is one that combines all three contexts: Event Context, Immediate Context, and Network Context.
Figure 3: The Complete Package: Event, Immediate, and Network Context
The Dynamic Duo of Security and Monitoring Integration: cPacket Networks and Cisco Firepower
The powerful integration between cPacket Networks and Cisco’s Firepower product suite (Firepower Management Console and NGIPS) now provides users with an all-in-one solution. As seen in Figure 4 below, cPacket’s cVu network probes and cStor devices are deployed at critical monitoring points in the network. This information is then collected, organized, and centrally managed by a cClear device. Cisco’s Firepower deployment has NGIPS sensors deployed at critical points in the network and is managed by the FMC.
Figure 4: Network diagram of an integrated deployment
cVu: 1G -100G; up to 32 ports per device, cStor: Packet capture and analytics
When a security event is flagged by the NGIPS, an alert is sent to the FMC. The FMC makes REST API calls to cClear to extract PCAPs to get the Immediate Context. SecOps engineers can retrieve valuable information from the cClear dashboard to access the various packet, session and flow KPIs, as well as baselines to obtain the Network Context. Furthermore, SecOps can perform a ‘Google-like’ search of the entire network to determine if any harmful source and/or destination IPs are still present in the network.
Figure 5: Screenshot of Cisco’s FMC
Figure 5 shows a screenshot of the FMC and the three options available. In the Event Context, you can clearly see the 5-tuple that was identified by FMC+NGIPS. The ‘Download PCAP’ link provides the Immediate Context. Clicking on this link will immediately download the relevant packets from all the cStors attached to any cVu, in the 30 second (configurable) window in the Event Context. Next, clicking on the ‘cSearch’ link will enable users to answer relevant questions such as: Is the attack still in progress? What is the extent of the infection? What network segments are affected? Lastly, when a user clicks on the cClear link, this will cross launch to cClear’s NPM dashboard in the window of the event that is configurable from a few minutes to a few hours around the event. By following the above steps, SecOps have the Complete Context and comprehensive monitoring required to investigate any issue in the network.
So, there you have it, a complete, all-in-one solution combining the best of both worlds: network performance monitoring and security monitoring. By sharing a uniform infrastructure, customers will benefit from cost reductions, minimal redundancy, and best of all, an improved end-user experience. Could this be a match made in network performance and security monitoring heaven? We think so.
To learn more about the integration between cPacket’s cClear solution and Cisco Firepower, read our solution brief.