Light Dark
June 30, 2016 By Westley McDuffie 3 min read
Endpoint
Network

Network mapping flat-out stinks — and I would still rather do this than asset inventory. Auto-discovery is now a third-party purchase, and it is, at best, a simple network management protocol (SNMP) manager designed to give you a visual of red and green lights correlating to machines communicating with a device. Unfortunately, it leaves you with many unanswered questions.

Do you know why your domain controller is logging in to other servers? Do you know why servers are talking to other servers, minus a proxy of any sort? There is a better way to find these answers and still keep your network mapping: Use network mapping as the underlay of your communication flows.

Network visibility is part of understanding risk. As always, technology risks are business risks. As security professionals, we do not own the risk, we just manage it. But if we cannot see the network, how do we see the risk?

Network Mapping Is Broken

Honestly, I’m tired of looking at outdated network maps created with a manual networking mapping tool. I’m tired of visiting places and asking for a diagram of the network, only to find out it doesn’t exist or it’s outdated. I cannot fathom not having this information — and a spreadsheet of IP addresses and subnet masks is not a valid substitute. Could would please just get it right for once?

SNMP mapping of a network is fine as a starting point, but it is not what a security practitioner should rely on. There are several limitations to using SNMP: First, it is a snapshot of what is reported; it is not an actual map of who is communicating with whom. You will also need to configure your respective band, or that network segment where you SNMP traffic is located. I see it in two places: the production network and the management network.

The last major piece is the SNMP manager. I am not knocking SNMP managers, but we have to look at the security definition of SNMP: security not my problem. I am aware of the user-based security model (USM) and the transport security model (TSM). When using one of the products, you must configure your security posture to meet the demands of good SNMP hygiene.

Don’t Stumble Blindly Through the Network

While you’re at it, configure your security devices to understand what is the norm. Do you know how much traffic you must weed through to find items that give you actionable content? Don’t sift through SNMP garbage too. As cool as these tools are, they do not provide any security to your organization — they only tell you that your manager is receiving SNMP traps.

You have to see your network to understand it; the more you see, the more you understand. Managers love pictures, but what if you could give them a movie? If a picture is worth a 1,000 words, just think what a movie would provide. I’m talking about a live-action view of what is really happening on the network.

I talked in an earlier blog entry about the fog of war, crystal balls and the ability to see the battlefield. The discussion there was about what network tools tell you versus what you should be seeing. Now we are going a level deeper. Years ago, a couple of products offered a network visual, which was a static map that was created as you created objects. I loved that. Even though it was static, it gave a representation of what was happening in your network. It would have been incredible to make that live-action as well.

More Effective Network Mapping

Now let’s stop the history lesson and get to the present day. What if I could show you on a map what your communication channels actually looked like? What if I could, in real time, show you what your firewall rules looks like? What if you could simulate a change and see what would happen? How about the ability to see your protocol information on segments, the number of clients and who is pushing what to whom?

In the future, do not get rid of SNMP mapping; instead, overlay your flow map over the SNMP map. What does it look like? Does your written policy look like the SNMP map? Does it look like your flow communications map? I bet it doesn’t. Communication flow overlaid a network map will expose when those entities are talking — no more and no less. Your SNMP map shows they are in different enclaves that should not be talking. Does the policy allow this?

The possibilities of what you could fix, implement and change for the better are endless. But you can do damage as well. Bad actors hide in the shadows, and this strategy helps stop hidden communications and expose items we would normally overlook. Combine your network mapping with data from your security information and event management (SIEM) system and feed it from an endpoint management platform — this is how we find problems and diagnose issues.

Knowledge is power. Sharing that knowledge across your organization builds a more robust team, fosters better security posture, reduces response time and increases anomaly detection. Effective network mapping provides an outlet to gain this information and boost the security of the system as a whole.

 |  | 
Westley McDuffie
Security Evangelist, IBM

More from Endpoint
November 28, 2023

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

October 19, 2023

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature