Why your network security telemetry matters

  • You cannot monitor encrypted data: Encryption can sap some of the value of network security monitoring, but it does not destroy it. Both layer 3 (flow) and layer 7 (rich metadata) observation have value for encrypted data whereas full packet capture may not.
  • Network monitoring is only an auxiliary control, you need endpoint first: I’ve seen enough environments where this is the truth — the point is that you need an endpoint first, but then you need NDR to cover gaps, unmanaged devices, etc.
  • “PCAP or it didn’t happen”: Many years ago, before we had Bro/Zeek and the choices were “flow or pcap”, this may have been true. But the reality is that in 2021, you are not saving full packet captures for weeks or months. Perhaps we have to change the slogan to “Zeek decodes or it didn’t happen.”
  • Network traffic is too expensive to capture: This is not a misconception at all, if you see full packet capture as the way to go. It would be prohibitively expensive in most modern environments. However, you can get a lot of value from rich L7 metadata and this is much less expensive (but also more useful) than mere flows.
  • Network data is not helpful in the cloud: While comparatively fewer people capture and monitor traffic in the cloud, the interest to do this grows rapidly (this is also discussed in depth below).
  • Everything is locked down and immutable, so why do traffic capturing?
  • Everything is encrypted, so what’s there to sniff?
  • Cloud logs and the new fancy observability provide visibility, why sniff traffic?
  • I can do flows logs in the cloud, I don’t need “costly” packets
  • Applications are dynamic and everything changes, so captures become less important over time
  • Your main on-premise tool — EDR — may not be available at all (e.g., with containers)
  • Some cloud architectures use essentially flat networks, hence NDR is very useful for East/West visibility
  • Cloud API logs are not exhaustive, they can be voluminous or noisy and have an inconsistent schema
  • Cloud network flow logs are shallow (just like their on-premise predecessors)
  • In-app observability for security is not common yet, even if it is coming
  • Given the right cloud context, you can dynamically correlate IP addresses in network traffic logs, like Zeek, to the event that happened on Google Cloud Compute Engine instances
  • Cloud providers now deliver robust ways to get access to traffic (such as Google Cloud’s packet mirroring service), so make sure your NDR tool supports these cloud native mechanisms

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Vagrant what is it and how it works ???

Manage Your Drivers, Constraints, and Floats

Startup Series 2: Free Gitlab Pages Static Website

What I Learned This Week (12-Apr-2022 to 18-Apr-2022)

How VOI went DARK

Glossary for New Scratchers

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

An approach to Threat Modeling (Part II)

Splunk IOC Scanner: a use case every-single-SOC needs

Detecting and responding to Apache “Log4j 2” (CVE-2021–44228) using Google Chronicle

Fylamynt + PagerDuty: Automated Incident Response