By Chris Richardson with Bob Rose
IT’S TIME TO TRIANGULATE
Recently, the following question came up: “How do IPAM and core network services relate to my functional role in security?” To answer this question and tie these concepts together, a timeless “back-pocket,” easy-read security blog by Srinivas Hanabe discusses how to Use Intelligent IPAM to Better Secure Your Network from Rogue and Infected Devices. For every incident investigator and incident responder, this post is worth spending a few minutes reviewing from a strategic planning and tactical best practice perspective.
To further lay out the value of IPAM in security, consider the following. We commonly hear jargon around “time to detect” and “time to remediate” as tangible security measures. Such yardsticks also play well in presenting upstairs to the brass. We’ve talked to many Security Leaders who get three slides in the master deck and 15 minutes per quarterly summit to make their case – whatever that may be. But how about another measure? — time to triangulate.
Time to triangulate can be defined as the timespan between when you are made aware of a threat in your purview and when you understand details about where and when the threat potentially infiltrated your network. More specifically, this involves knowing what device may have accessed the network (beyond basic conventions), which port may have been used and the potential physical location of the apparent attack. You also naturally want the history and context around that user, device and threat situation. Getting to that state can be thought of as triangulation of the signal. In other words, it is when disparate sources of internal and external data are telling you something important or urgent, yet asynchronously.
Of course, we want to minimize this time to triangulate while mitigating cost. The concept of digging through logs has largely been replaced by modern Security Information and Event Management (SIEM), which has subsequently led to other manifestations of “a grand correlation funnel.” But if that SIEM doesn’t have the user/device data you need, and you have no easy way to drill down within the archives, then you are left to open an IT ticket to determine “where was Joe’s laptop on the network 3 weeks ago?” so you must move on to the next event, at the mercy of what your organization’s rules and policies dictate. You wait for further data to triangulate, as opposed to knowing instantly the internet protocol (IP) assignments of everything in your business continuously and accurately – all the while knowing that such reliable data telemetry is the hallmark of a modern IPAM solution.
START INCIDENT RESPONSE WITH THE DATA YOU NEED
Waiting for additional data in order to properly react to a latent threat represents real risk. You know that the threat is in the network somewhere. You may even know what the threat category is, but without pinpointing patient zero (a great Splunk use case), you aren’t sure where you need to focus your resources. This is disconcerting both from a data retention policy standpoint but also because you know that days ago, a device in your purview reached-out to something that was only today tagged as a new threat. The real challenge becomes: Do you have an answer when C-Level executives ask, “Are we in good shape? How do we avoid becoming like <Breached Company Name redacted to protect those who lacked visibility that day>? Are we “on top of it?
AIM FOR 100% VISIBILITY
One strong answer is to drive toward 100% visibility for the devices and databases that are or have been on your network as a bedrock operating principle and achievable milestone to reach by your next quarterly summit. Such a principle has the strength to “travel across your meetings” on agenda topics you may be very familiar with, such as:
- Planning for Vulnerability Scanning – Next Steps
- DLP Update – Check-in with the Team
- Aligning Security for Merger with XYZ, Inc.
- IPv6 Status Check
- IR Workflow Review – All SOC Management/All Hands SOC-West/SOC NAM
In short, how your organization does IPAM impacts an array of things in your daily security role. Without 100% visibility into what is connected, you risk deteriorating the value of every other security product, process, workaround, individual and decision made in your environment. As mentioned in the prior post, rather than accidentally “finding out” that there are more IP addresses on the network than originally thought, or alternatively, seeing vulnerability scanning implementations that completely miss one-third of the network map they are intended to cover, the solution is simple: The time to get out ahead of that situation is right now by thoughtfully approaching modern IP Address Management. So, what are the key takeaways?
- Triangulate data from internal and external sources for context and quick response.
- Start incident response with the reliable data you need.
- Drive toward 100% visibility for all network endpoints because you cannot secure what you cannot see.
Watch next week for Part 2 of Modern IPAM as a Security Asset.