The first step to solving this problem is to understand what we mean by “darkspace” and why every organization with a digital presence should be thinking about these issues. We’ll start there, and then look at a new category of product emerging to help IT and SecOps shed light into the darkspace so they can fight the monsters hiding there.
What Is Darkspace in the Enterprise?
- Encryption: For IT Ops and SecOps teams, the adoption of TLS 1.3with default perfect forward secrecy can feel like putting on a blindfold when you’re walking through this house of horrors trying to save your customers from the torture of undiagnosable network latency and stealthy attackers.
- Lack of East-West visibility: Many teams just don’t have visibility into the real-time communications on their network. Relying solely on logs is like taking a still photo of each room of the haunted house to see if anyone’s lurking. Real-time east-west visibility is like having live video cameras in every room and corridor.
- Cloud and Hybrid environments: Take that haunted house and make it interdimensional. The cloud introduces new attack vectors and visibility challenges that make it exponentially harder to detect and respond to threats.
How Can Organizations Illuminate These Areas?
A new category of security products is emerging to help our IT Ops and SecOps heroes get the visibility they need to detect and respond to threats hiding in the darkspace. It’s called Network Traffic Analysis (NTA) and several major analyst firms, including Gartner, 451 Research, and EMA have written with anticipation about this important new category. The fundamental premise of NTA is that by observing and analyzing network traffic in real time, and applying analysis and machine learning, security and IT teams can gain faster, more reliable insights that are unavailable from log analytics and other existing security platforms.
As with the emergence of any new technology or market category, Network Traffic Analysis is having its capabilities refined and its boundaries defined through an organic process involving vendors, analysts, and of course users. The general consensus is that NTA products must go beyond what is available from flow-based products that only see L2-L4 traffic—but outside that, there’s still a lot of progress to be made in defining the slot that NTA will occupy in accelerating, mature security operations practices.
Five Questions to Help You Vet Security Vendors
If the network itself is a spooky haunted house, the NTA market is a house of mirrors. Vendors are hopping on the bandwagon and starting to use the term before the boundaries have been cemented, leading to a confusing mish mash of messaging in the market. Here are five questions meant to help you determine whether a self-proclaimed NTA vendor is the real deal, or if they’re chasing after a shiny object without doing the work.
Question #1: Does It Scale?
Today’s enterprise networks are bigger and more dynamic than ever, with hybrid on-premises and cloud environments, branch offices, and enormous volumes of data. Enterprise scale is necessary for successful network traffic analysis. NTA vendors should be able to conduct analysis at 100 Gbps without impacting the performance of the network. Any less and they risk leaving blind spots behind to be exploited by attackers.
Question #2: Does It Decrypt?
The increasing adoption of TLS 1.3 with perfect forward secrecy is great for security and customer privacy, but it also creates huge blind spots for security and IT ops teams. Some so-called NTA vendors will claim that they can extract enough signal from encrypted traffic to detect advanced threats. Even if so, they have no capability to conduct forensic investigation to enable a confident response. True NTA products must be able to decrypt TLS 1.3 with PFS in order to provide the level of visibility that SecOps teams need for success in detecting and investigating threats and getting the forensic detail needed to act with confidence.
Question #3: Can It Automate Investigations?
Many security platforms spew tickets at an alarming rate, each of which must be manually prioritized and investigated by a human, causing burnout and overwhelm. Automating the right parts of this process so human analysts can focus on what matters is a vital step for infosec as a whole. NTA products need to be able to automate the detection and initial investigation steps so that by the time a human analyst gets involved, they have the data they need to act with confidence. Platforms that spew false positives cost more than they’re worth in the end. Real NTA goes a long way toward solving this challenge.
Question #4: Is the AI/ML Real or Artificial?
There’s a lot of “ML-washing” going on in the industry. Companies calculate a statistic and slap the “machine learning” sticker on their product because it sounds exciting. This creates false confidence and reduces clarity about what products can confidently do. Real, predictive machine learning can rapidly provide insights that amplify a SecOps team’s ability to act with confidence. Many companies are hesitant to divulge intellectual property around their ML. This is reasonable, but if they can’t provide a strong layman’s terms explanation of how the ML provides value then they’re out of the running for credible NTA vendors.
Question #5: Does It Solve Real Problems?
The ultimate acid test for any product is whether it solves real problems. Is the vendor focused on solving actual challenges for you, or forcing you into their own workflows and ecosystem. If the NTA vendor can’t draw a clear, bright line from their product to an improvement in performance and value-add for your team, they should be out of the running.
The sophistication of cyber attackers exploiting dark space in the network will continue to grow and accelerate, increasing the need for true Network Traffic Analysis in the enterprise. That means the coverage and jockeying for position in this emerging market space will continue to heat up for the foreseeable future. Knowing what to look for, and how to get that needed information from prospective vendors, is the best way for enterprises to navigate treacherous waters in the early days of Network Traffic Analysis.