Network visibility has been a buzzword for a few years now and has attracted its share of enthusiasts over that time. Skim through the industry press from 2020, and you’ll come away with the impression that network visibility is a panacea for all your cybersecurity ills.
I’m not here to contradict that, necessarily. I share the opinion that instrumentation is important in protecting networks from novel threats, as is the kind of visibility necessary to produce quality feedback on the operation of your network devices. However, it’s also important to recognize that visibility should not be the end-game for network administrators looking to protect their systems – rather, we should focus on control.
In other words, it will be key in the next few years to move from visibility to insights. Rather than being able to see cyberattacks unfold in exquisite detail, the question will be how to stop them.
In order to understand the limits of network visibility, it’s important to understand what is meant by the term. Although it has become something of a catch-all term in recent years, as a result of which it has come to mean something akin to "multiple firewalls," the concept of visibility actually grew out of a very specific set of circumstances – the Industrial Internet of Things.
The IIoT, as it is commonly known, is growing fast. The raw number of connected IoT devices is growing by 127 every second, is expected to reach over 75 billion by 2025, and industrial applications account for a good proportion of this growth. In fact, the growth in the IIoT has led some to claim that we are in the middle of a fourth industrial revolution.
However, what is good for industrial productivity might not be so good for network security. At a very early stage in the development of IIoT infrastructure, it was recognized that it would present a sizable security challenge. This is not necessarily due to the raw number of devices connected to these networks – though that can certainly become an issue in the largest installations – but because of the way they are connected together.
Visibility and security
Traditionally, network security paradigms have been built on a simple insight – that if you stop a hacker (or piece of malware, industrial espionage bot, etc.) getting into your network, you will be safe. Therefore, as long as you equipped external endpoints with intrusion detection, firewalls, and proper authentication, your network would be fairly secure.
The problem with this thinking is two-fold. One is many IIoT systems no longer have a manageable number of external endpoints, and the second is that due to the scale of these networks, the distinction between "external" and "internal" endpoints is fast disappearing. In a highly networked factory, for instance, in which every employee's laptop has access to some portion of industrial control systems, even technology that is traditionally considered to be a security strength becomes a potential egress point for hackers.
In addition to this exponential increase in the number of endpoints in contemporary IIoT systems, there is another issue. This is that many of the small devices that provide sensing capabilities to IIoT networks are connected to each other, without this connection passing through an interstitial control and monitoring system.
This problem is predominantly why the concept of network visibility came to prominence. Without being able to monitor what all these endpoints were up to and what they were sending to each other, it was felt malware could rapidly spread across IIoT networks through lateral movement and gradual credential escalation.
Visibility vs. control
That worry was certainly justified. Unfortunately, the systems we have built to address it are (often) wholly inadequate to the task. In fact, in many ways, the very idea of "visibility" has come to cloak what network security engineers really want: control. Just take a look at a random selection of the major network security providers today, and you'll see what I mean – these companies generally offer "visibility,” “monitoring,” “detection,” and so on, rather than more useful capabilities. Such as “elimination.”
In turn, this focus on visibility has given rise to an incorrect understanding of risk and liability. Too often, the “game” of network cybersecurity resembles an expensive and complex version of “whack-a-mole” – a threat is detected moving between two network nodes and is eliminated. However, many organizations lack the expertise or resources to perform the kind of forensic analysis that would uncover the source of this threat, or even where it is hiding in between being spotted by visibility tools.
This, ultimately, is the tragedy of the concept of network visibility: that unless it is total, it is almost useless. And given the complex realities of sub-contracted software systems, hybrid clouds, and proprietary IIoT systems, it’s unlikely that any company can realistically achieve total oversight on their networks today.
Better than nothing?
At this point, you’re probably thinking I’ve gone mad. Surely a little visibility – even a little – over a network is better than none? Well, yes. I agree. The problem is that sometimes the (legitimate) desire for visibility can seem more important than what is really important – the ability to perform effective network forensics and lock down genuine external endpoints.
This is an argument which, I realize, is unlikely to make much difference to the efficacy or type of anti-intrusion software on the market. We’ve known for some time that the CDN era requires new network visibility standards but have largely failed to realize them. And your cybersecurity vendor is much more likely to explain the reasons your network team needs better visibility rather than offer tools that are able to prevent intruders from getting into your systems.
But if I have one request, it’s this – the next time you improve network visibility, make sure you’re not just improving your ability to observe your own helplessness.