On this episode of World Wide Technology's Public Sector Tech Talk, I discussed the value of observability in network security with Marlin McFate, Riverbed Technology's Public Sector Chief Technology Officer.
As we explain in the podcast, observability is the ability to go into network data and find the things that traditional network monitoring missed. That includes advanced persistent threats, zero-day vulnerabilities, or inherent risks created in the supply chain.
Better understanding observability
McFate explains the three levels of asset accountability. They include:
- Monitoring. Security teams collect specific data such as digital signatures or traffic patterns that tell if something is wrong. During this process, cybersecurity systems look for particular patterns but are limited by their limited focus.
- Data collection. This goes one step past monitoring as security teams find helpful threat information that was not caught in the specific set of conditions found with monitoring.
- Observability. At this stage, organizations can take all of the data caught in monitoring along with additional data from different domains and stitch it together in an end-to-end view. This allows security teams to see more significant trends across domains and leverage collaboration between disparate areas to gain a comprehensive perspective.
"Creating observability within an organization is more than technology, but a paradigm shift that looks to break down silos and better converge the security operations with IT," McFate said.
Addditionally, the push for remote work – first made necessary by the COVID-19 pandemic and now as a more accepted form of work – has changed the threat landscape. Since March 2020, when employees began working more from home, there has been a dramatic increase in phishing and spear phishing.
We've had devices out in the world for more than two years now that pose a significant threat when they come back into our environment. Bringing these devices back behind our walls presents a unique challenge where observability will be drastically needed.
Finding an insider threat
To end the podcast, McFate shared a customer story. This organization adopted an observational mentality and worked diligently to understand the devices on their network better. Their research discovered about 20 percent more devices than they initially believed they had.
In particular, the analysts found a device operating in parts of the network it should not have access to and raised red flags. An investigation found that the device collected data from the middle tier of an application and encrypted its network traffic.
"The investigators could find out what switch port the device was using and quickly learned that it was an insider threat," McFate said. "Three individuals were circumventing the traditional layered cybersecurity and thought they could act with impunity. While this is just a small case, it shows how easily it can be for this type of action without the right safeguards."
To learn more about the value of observability in network security, listen to the full Public Sector Tech Talk.