{"id":644,"date":"2018-03-01T17:36:02","date_gmt":"2018-03-01T17:36:02","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=644"},"modified":"2020-05-06T10:27:08","modified_gmt":"2020-05-06T17:27:08","slug":"part-3-4-practical-advice-to-network-and-security-operations","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/community\/part-3-4-practical-advice-to-network-and-security-operations\/","title":{"rendered":"[Part 3\/4] Practical Advice to Network and Security Operations Pros Regarding GDPR Compliance"},"content":{"rendered":"

This is the third in a four-part blog series. Check out\u00a0part 1<\/a>\u00a0and\u00a0part 2<\/a>.<\/p>\n

Part 3 – Security Operations<\/h2>\n

The Forrester report\u00a0suggests \u201cThe Data Breach Notification requirement will be a game-changer\u201d. Specifically, this means incident response is more critical and difficult: the required information as part of any data breach notification (outlined in Article 33 section 3) includes the scope of the breach and personal data compromised, consequences to individuals and mitigation. Clearly better information, management processes and automation will help in the assessment of any potential breach.<\/p>\n

Infoblox can help with the challenge of evaluating potential security events to determine what might be incidents that require a response by the security operations team and supporting them in the subsequent assessment process. Based on our experience there are three areas where Infoblox products and services are relevant to security operations:<\/p>\n

    \n
  1. Providing visibility into what is where on the network.<\/li>\n
  2. Delivering curated threat intelligence and tools for investigating Indicators of Compromise (IOCs).<\/li>\n
  3. Automating the process for sharing intelligence and IOCs with security tools.<\/li>\n<\/ol>\n

    Knowing What is Where<\/h2>\n

    What does not work is the good old IP Address Management Spreadsheet. Every networking professional has probably used a variant of this at some point – something like one tab per VLAN and one row per IP. This does not realistically reflect what is on the network, nor does it keep up with changes. For instance, anyone who has managed something like this knows that the number of times they are informed of something being removed from the network is probably a round number.<\/p>\n

    How does this spreadsheet help the security operations team during assessments? It doesn\u2019t. Nor does it help the network team who may be called to find out what is really associated with an IP address.<\/p>\n

    An integrated DDI system that combines \u201cThe Spreadsheet\u201d, incorporates live DNS & DHCP data, is updated by active discovery of both the physical and virtual infrastructure, all combined with network authentication events, is a much better approach. This gives the answer to \u201cwho\u201d, \u201cwhen\u201d and \u201cwhere\u201d based on the protocols themselves and the information from the network itself.<\/p>\n

    Having this data in a multi-user system, with role-based administration capabilities, frees the networking team from calls to investigate the \u201cwho\u201d, \u201cwhen\u201d and \u201cwhere\u201d and enables the security team to look at this information directly. It also becomes a virtuous circle in that the greater the accuracy of the data the more it is used, and hence the more it can facilitate automatically provisioning IPs and domain names, so the more accurate it becomes. Visibility into the network will speed up assessment, saving cost in terms of operator time, and allow some more proactive action (why is there a PlayStation or XP system still on the network?).<\/p>\n

    Don\u2019t forget IPv6! Yes you are running it. You can either leave it to grow up organically (like was done with IPv4 – remember?) or take control of the address plan now so that you know what is where when you see IPv6 addresses in log files. Something is bound to exploit IPv6 as currently partially implemented within corporate networks. For an example see Tom Coffen\u2019s\u00a0presentation<\/a>\u00a0\u201cDelivering on the Promise of Modern Data Centers: A focus on DNS and IPv6\u00a0\u201d\u00a0ref 3<\/sup>\u00a0where IPv6 DHCP is mentioned. When IPv6 addresses appear in security logs how will you know what is where if you don\u2019t have an address plan?<\/p>\n

    Think of improving the data quality used for security and network operations as below:<\/p>\n

    Turning Data into Actionable Information<\/h3>\n

    \"Turning<\/p>\n

    This can be summed up as combining the current data you have from the sources on the left and using this to provide the benefits on the right of the security and networking teams using the same data, enabling automation and providing a valuable database of information.<\/p>\n

    Lastly, a tip from CISOs: co-locating security and network operations with good data sources has worked wonders for addressing security issues and breaking down \u201csilos\u201d within an organisation. This will certainly help in assessment and responding to security events.<\/p>\n

    The action item here is to review how accurate and integrated DDI is within your organisation as a basic component of being able to assess risk, alerts and incidents. If you are already there and it\u2019s working well for you move on to look at automation and reporting.<\/p>\n

    Threat Intelligence and Investigation<\/h2>\n

    Knowing what is where is useful in terms of assessing security risks and the impact of malicious activity. This goes hand-in-hand with knowing if there is something to worry about in the first place.<\/p>\n

    Most organisations are using threat intelligence unconsciously in that they may be consuming a feed to something such as a web proxy to block potentially harmful http(s) traffic, i.e. they block what the proxy vendor says they should block.<\/p>\n

    Threat intelligence can be used independently of any specific tool, indeed in many cases it can augment any feed supplied by a specific vendor. One of the interesting facts about threat intelligence data is that the overlap between feeds is surprisingly little, so multiple data sources tend to be a benefit and not duplication.<\/p>\n

    By using threat intelligence as a data source or feed in its own right, rather than as an embedded part of any specific security implementation, you can achieve the following:<\/p>\n