Software-defined visibility – foundation for automated security

Growing adoption of virtualization and cloud technologies, coupled with the proliferation of mobile devices, has increased enterprise network complexity drastically. Given that the traditional data center perimeter has dissolved and the majority of traffic now flows east/west, monitoring and inspecting traffic only at the edge as was typically done would leave many blind spots in today’s networks.  Sophisticated threat actors often exploit these blind spots to hide their activity and ultimately to steal valuable data.

To combat these threats, many organizations have taken a comprehensive multi-tiered approach to security, utilizing a variety of inline and out-of-band security appliances and tools including but not limited to next-generation firewalls (NGFW), intrusion prevention systems (IPS), web application firewalls (WAF), security information and event management systems (SIEM). On average, enterprises can have 10 or more security vendors and device types in their security architecture.

However, these multi-tiered security “stacks” are only as effective as the network traffic they can inspect and analyze. To achieve pervasive network visibility of traffic for the entire security architecture, the packets must be retrieved from all parts of the network and data center including branch offices, physical and virtualized segments as well as cloud-hosted segments.  In this way, intrusion detection and prevention systems as well as security analytics devices have the best statistical chance of identifying threats and their sources.

But while visibility is undoubtedly the foundation for detecting blind spots and hidden threats, it is not sufficient for limiting exposure from data theft and loss. To further limit risks, fast time to detection is as important as quick response. This is where the requirement for security automation becomes vitally important. For instance, if a security device, upon detecting a threat, can inform another to quarantine the threat source without human intervention, the time of exposure to risk would be greatly reduced.

Hence, in the face of much network complexity and growing threat exposure, organizations need to simplify security administration, while reducing the time to threat detection and response. The ultimate aim of a more efficient and cost effective security architecture is achievable through broad network visibility delivered as a pervasive layer that is as agile and programmable as the new networks and data centers themselves. This is what is meant by Software-Defined Visibility (SDV).

Why SDV matters

SDV extends the capabilities of a visibility infrastructure or platform so that it can programmatically tie together security tools, for instance, (even if they are from different vendors and of different function) so that they operate collaboratively and in an automated way. This increases the effectiveness of multi-tiered security architecture in stopping data loss and theft. The entire security stack becomes more agile and as dynamic as the networks it is meant to protect, including modern complex ones like hybrid clouds and software-defined networks (SDNs).

Gigamon has long understood the power of pervasive visibility and was the first to bring a security delivery platform, GigaSECURE, to market. GigaSECURE not only enables highly effective multi-tiered security architectures but also provides the programmatic interfaces to make SDV possible. How it works is that security tools of all types, including those deployed inline, connect directly to GigaSECURE. It in turn delivers traffic and metadata from every part of the network and data center, including virtualized segments, to the connected tools. All the security devices see exactly the traffic they need.

For the SDV component, open RESTful APIs enable security and other network monitoring appliances to interact directly with the GigaSECURE security delivery platform. Security administrators can write programs that utilize Gigamon’s APIs to allow for dynamic response to detected threats. Even on the fly adjustments to traffic mode configurations for in-line security tools are possible.

The APIs can also be used to automate many operational tasks such as heterogeneous monitoring, reporting, capacity planning or integration with other IT operations management systems.

Use cases

Consider the scenario where an IDS connected to GigaSECURE flags an anomalous communication and instructs GigaSECURE to generate NetFlow for the flows of interest so that they can be sent to and further analyzed by an SIEM which is also connected to GigaSECURE. This entire exchange can potentially surface malware much faster then the IDS and SIEM acting independently.

For VMWare environments, GigaSECURE uniquely provides visibility to traffic flowing among virtual machines (VMs). To automate VM policy management, administrators can write to the GigaSECURE APIs such that monitoring rules automatically follow VM moves, adds and changes. VM traffic monitoring templates for GigaSECURE can even be applied automatically to newly configured VMs.

Security administrators are not the only beneficiaries of GigaSECURE with SDV. IT operations can also use this programmability to simplify provisioning and ticketing by automating common tasks, such as modification of network port configurations, monitoring of new IP subnets and VLANs, as well as software updating.

Clearly, visibility implemented as a pervasive and programmable layer, especially as delivered by Gigamon, results in enormous savings in the cost and time to administer networks for performance and security. But the benefits also extend to a visibility architecture that is future proofed.

“The formidable reach of our security delivery platform becomes even more compelling when one considers the vast ecosystem of technology partners that we currently have and the significant effort we are committing toward extending that ecosystem and deepening the technical cooperation with each partner,” says Johnnie Konstantas, director of Security Solutions Marketing & Business Development at Gigamon.

The Gigamon relationship with VMWare, for instance, was recently extended to include automated visibility for SDDCs. Leveraging the VMware NSX Dynamic Service Insertion framework for automated deployment of virtual components, Gigamon GigaSECURE users can automate the selection, filtering and forwarding of virtual traffic for monitoring and security analytics. They can also dynamically provision visibility traffic policies within customers’ SDDCs.

“The Gigamon solution with VMware NSX allows IT to automate visibility policies for sending traffic and meta-data to security and performance monitoring solutions, enabling administrators to be constantly aware of what is happening in their network,” says Zeus Kerravala, principal analyst at ZK Research.

“As customers ramp up their SDDC deployments they need to automate the deployment and orchestration of advanced operationalization tools,” adds Konstantas. “Our vision is focused on leveraging VMware NSX service automation capabilities to help customers scale their deployments seamlessly.”

This is a QuestexAsia feature commissioned by Gigamon.