Security teams’ demand for traffic data drives NetSecOps collaboration

2021.12.06

You should have heard of the fact that network infrastructure and operations teams and information security teams are now cooperating more than ever before. In my research and practice, I began to call this NetSecOps collaboration. One of the reasons this cooperation is becoming more and more common is data. The security team needs network traffic data for some reason, and needs the help of the network team to obtain this data. Enterprise Management Associates (EMA) recently released a research report on NetSecOps collaboration based on a survey of 366 IT professionals. Its research found that security teams need to analyze network data, which has led to 83% of enterprises increasing NetSecOps collaboration.

Usually, the network team is happy to help, but data sharing can be difficult. Nearly 63% of the study participants said they were distressed by the inconsistent and conflicting data between the two teams, and nearly 57% were distressed by the data-related cross-team skill gap. A network architect at a $15 billion retail company said: “The process of sharing data sometimes works well, sometimes it doesn’t work well because the security team doesn’t have a clear idea about their requirements. They’ll say,'Please show me Data from web servers.’ I need to ask, “Which web server, because we have a lot of web servers? Do you want to see web servers in the cloud or in the data center?” Sometimes, it’s hard for us to communicate with them.”

How to share traffic data with the security team

About half of network teams allow security teams to directly access network data sources, about 22% provide role-based access, and 28% provide management access. This enables the security team to obtain the data on its own. However, if they don't know what they are looking for and how to find it, they may still need the help of the networking team. 30% of network teams set up their systems to automatically forward network data to security analysis services. This eliminates the communication problems associated with this process. Nearly 19% of enterprises require the security team to make a separate network data request to the network team. Network packet proxy can facilitate this kind of data sharing. These devices are in-line or out-of-band, where they aggregate mirrored or production traffic, filter traffic, add metadata to packets, and forward dedicated packet streams to separate analysis tools. Among the IT professionals who participated in the EMA survey, 90% of respondents said that network packet proxies are important to promote collaboration between network and security teams. Network teams usually operate them, but they can provide security teams with role-based or administrative access, so that security personnel can forward any traffic they want to their tools. Packet capture hardware is another important link for collaboration. Network and security teams usually maintain their own packet capture resources. For example, security analysis tools may have their own integrated packet capture resources. The network team may maintain a large packet capture array to collect data from a larger set of network interfaces in order to have a richer set of data for analysis. Therefore, even if it has its own packet capture resources, the security team still needs the help of the network team in some cases. For this reason, many companies are considering integrating data packet capture resources. EMA research found that 97% of respondents are interested in at least partially integrating packet capture resources between network and security teams.

How the security team uses traffic data

EMA asked respondents to determine how the security team is processing the traffic data they extract from the network. More than 69% of enterprises provide traffic to network detection and response or network traffic analysis tools. This is a new type of security monitoring service that can conduct in-depth analysis of traffic to identify anomalies and threats. Nearly 58% of security teams need traffic data to help them complete the incident response process. They detect security issues and they need answers from traffic data. And more than 55% of enterprises are performing real-time data packet load analysis. For example, they are looking for malware in data packets, or they are looking for sensitive data leaked from the network. If your business is trying to improve NetSecOps collaboration, then data is a good starting point. Look for ways to more easily share high-quality data between teams,