{"id":1534,"date":"2019-01-25T17:36:08","date_gmt":"2019-01-25T17:36:08","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=1534"},"modified":"2020-05-06T10:27:01","modified_gmt":"2020-05-06T17:27:01","slug":"modern-ip-address-management-as-a-security-asset-part-1","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/community\/modern-ip-address-management-as-a-security-asset-part-1\/","title":{"rendered":"Modern IP Address Management as a Security Asset Part 1"},"content":{"rendered":"

By Chris Richardson with Bob Rose<\/p>\n

IT’S TIME TO TRIANGULATE<\/strong><\/p>\n

Recently, the following question came up: \u201cHow do IPAM and core network services relate to my functional role in security?\u201d To answer this question and tie these concepts together, a timeless \u201cback-pocket,\u201d easy-read security blog by Srinivas Hanabe discusses how to\u00a0Use Intelligent IPAM to Better Secure Your Network from Rogue and Infected Devices<\/a>. For every incident investigator and incident responder, this post is worth spending a few minutes reviewing from a strategic planning and tactical best practice perspective.<\/p>\n

To further lay out the value of IPAM in security, consider the following. We commonly hear jargon around \u201ctime to detect\u201d and \u201ctime to remediate\u201d as tangible security measures. Such yardsticks also play well in presenting upstairs to the brass. We\u2019ve talked to many Security Leaders who get three slides in the master deck and 15 minutes per quarterly summit to make their case \u2013 whatever that may be. But how about another measure? \u2014 time to triangulate.<\/p>\n

Time to triangulate can be defined as the timespan between when you are made aware of a threat in your purview and when you understand details about where and when the threat potentially infiltrated your network. More specifically, this involves knowing what device may have accessed the network (beyond basic conventions), which port may have been used and the potential physical location of the apparent attack. You also naturally want the history and context around that user, device and threat situation. Getting to that state can be thought of as triangulation of the signal. In other words, it is when disparate sources of internal and external data are telling you something important or urgent, yet asynchronously.<\/p>\n

 <\/p>\n

Of course, we want to minimize this time to triangulate while mitigating cost. The concept of digging through logs has largely been replaced by modern Security Information and Event Management (SIEM), which has subsequently led to other manifestations of \u201ca grand correlation funnel.\u201d But if that SIEM doesn\u2019t have the user\/device data you need, and you have no easy way to drill down within the archives, then you are left to open an IT ticket to determine \u201cwhere was Joe\u2019s laptop on the network 3 weeks ago?\u201d so you must move on to the next event, at the mercy of what your organization\u2019s rules and policies dictate. You wait for further data to triangulate, as opposed to knowing instantly the internet protocol (IP) assignments of everything in your business continuously and accurately \u2013 all the while knowing that such reliable data telemetry is the hallmark of a modern IPAM\u00a0solution.<\/p>\n

START INCIDENT RESPONSE WITH THE DATA YOU NEED<\/strong><\/p>\n

Waiting for additional data\u00a0<\/strong>in order to properly react to a latent threat represents real risk. You know that the threat is in the network somewhere. You may even know what the threat category is, but without pinpointing patient zero (a great Splunk use case<\/a>), you aren\u2019t sure where you need to focus your resources. This is disconcerting both from a data retention policy standpoint but also because you know that days ago, a device in your purview reached-out to something that was only today tagged as a new threat. The real challenge becomes: Do you have an answer when C-Level executives ask, \u201cAre we in good shape? How do we avoid becoming like <Breached Company Name redacted to protect those who lacked visibility that day<\/em>>? Are we \u201con top of it?<\/p>\n

AIM FOR 100% VISIBILITY<\/strong><\/p>\n

One strong answer\u00a0<\/strong>is to drive toward 100% visibility for the devices and databases that are or have been on your network as a bedrock operating principle and achievable milestone to reach by your next quarterly summit. Such a principle has the strength to \u201ctravel across your meetings\u201d on agenda topics you may be very familiar with, such as:<\/p>\n