Security teams’ need for flow data drives NetSecOps collaboration

You’ve probably heard about the fact that network infrastructure and operations teams and information security teams are collaborating more than ever before. In my research practice, I’ve started calling this NetSecOps collaboration.

One reason this collaboration is becoming more common is data. Security teams need network traffic data for one reason or another, and they need help from the network team to get it. Enterprise Management Associates (EMA) recently released a study on NetSecOps collaboration based on a survey of 366 IT professionals. Its study found that the need for security teams to analyze network data has led to an increase in NetSecOps collaboration in 83% of enterprises.

[[438821]]

Often, network teams are happy to help, but data sharing can be difficult. Nearly 63% of study participants said they struggle with inconsistent and conflicting data between the two teams, and nearly 57% struggle with data-related cross-team skills gaps.

“The process of sharing data sometimes works well and sometimes doesn’t work well because the security team doesn’t have a clear idea of ​​what they want,” said a network architect at a $15 billion retail company. “They’ll say, ‘Please show me the data from the network server.’ I need to ask, ‘Which network server, because we have many network servers? Do you want to see the network server in the cloud or in the data center?’ Sometimes, it’s hard for us to communicate with them.”

How to share traffic data with security teams

About half of network teams allow security teams direct access to network data sources, while about 22% provide role-based access and 28% provide administrative access. This enables security teams to obtain data on their own. However, if they don't know what they are looking for and how to find it, they may still need help from the network team.

30% of network teams have set up their systems to automatically forward network data to security analytics services. This eliminates the communication issues associated with this process. Nearly 19% of organizations require security teams to make separate network data requests to network teams.

Network packet brokers can facilitate this data sharing. These devices sit inline or out-of-band, where they aggregate mirror or production traffic, filter traffic, add metadata to packets, and forward dedicated packet streams to separate analysis tools.

Of the IT professionals who participated in the EMA survey, 90% said network packet brokers are important for facilitating collaboration between network and security teams. Network teams typically operate them, but they can provide role-based or administrative access to security teams, allowing security staff to forward any traffic they want to their tools.

Packet capture hardware is another important link in the collaboration. Network and security teams often maintain their own packet capture resources. For example, a security analysis tool may have its own integrated packet capture resource. The network team may maintain a large packet capture array that collects data from a larger set of network interfaces in order to have a richer data set for analysis.

Therefore, even with their own packet capture resources, security teams still need help from the network team in some cases. For this reason, many enterprises are considering consolidating packet capture resources. EMA research found that 97% of respondents are interested in at least partially integrating packet capture resources between network and security teams.

How security teams use traffic data

EMA asked respondents to identify what security teams are doing with the traffic data they extract from their networks. More than 69% of organizations feed traffic into network detection and response or network traffic analysis tools, a new class of security monitoring services that perform deep analysis of traffic to identify anomalies and threats.

Nearly 58% of security teams need traffic data to help them complete the incident response process. They detect a security issue and they need answers from traffic data. And more than 55% of enterprises are performing real-time packet load analysis. For example, they are looking for malware in the data packets, or they are looking for sensitive data leaked from the network.

If your organization is trying to improve NetSecOps collaboration, data is a great place to start. Look for ways to more easily share high-quality data between teams, especially in ways that can bridge the skills gap between the two teams.