top of page

What Is a Network Blueprint?

Any engineer knows the value of a blueprint. Originally named in the context of

reproduction—the old blueprinting process would result in white lines on a blue

background—the term is used in modern contexts as a reference to technical and engineering drawings. More specifically, a blueprint generally provides detailed specifications of how a given system, object, or complex structure has been planned, designed, organized, and

implemented as architecture.

As such, it should come as no surprise that enterprise security experts would come to

acknowledge the obvious benefits of having a blueprint for the network they are tasked to

protect. Nevertheless, the goal has been elusive, and rather than existing as a routine aspect of

any security program, many—perhaps most, if not all—security teams operate without a

detailed blueprint of their network infrastructure and attached devices. The main reason is

increasing network complexity, as today’s networks are becoming extremely complicated in

terms of size and architecture.

In this blog, we suggest three generations of industry attempts at creating something akin to a

network blueprint for the purpose of cybersecurity. These generations begin with efforts done

manually and informally, continue through early attempts at automation, and have now arrived

at the present generation, where an accurate blueprint can be developed thanks to

advancements in machine learning and deep learning technologies, as evidenced by

commercial vendors such as Cynamics.

Early Generation Manual Network Drawings

The earliest generation of network specifications involved informal attempts at creating

drawings of the topological, architectural and organizational aspects of a given network. During

these early days in the 1980s and 1990s, network engineers would invest significant time in

sketching these network drawings based on information extracted from a manual analysis of

routing configuration files, device address information, and visible evidence of how the network

is arranged.

While automation certainly existed to assist with the set-up and administration of routing,

these early drawings were rarely helpful from a security perspective. The good news was that

early networks were much more “compact,” i.e., smaller and simpler, than today and were

often clearly delineated by firewall gateways. In fact, throughout this time, many enterprise

networks might have been running a protocol such as IPX that was out-of-band with IP-based

attacks from the Internet.

Mid-Generation Automated Network Tools

In the 2000s and 2010s, enterprise security teams began to gain access to automated tools that

provided schematics of networks. These tools ranged from creative platforms that tried to

visualize the complex connectivity of a network to more tactical solutions that tried to provide

network vulnerability management capabilities. One particularly creative solution emerged

from Bill Cheswick and Hal Burch, engineers at Bell Labs who visualized networks as lovely

pieces of art.

Figure 3-1. Older Creative Network Schematic Art (The Internet)

During this time, however, it became obvious that security engineers needed something more

than a visually attractive artistic representation; they needed something that would provide

meaningful operational value. Network scanners during this period tried to fill the gap, often

pulling ideas from sectors such as telecommunications, where network maps had been used for

years to perform network asset discovery and management. In such cases, routes would be

visually lit where some performance or security issue emerged to help dictate action.

Figure 3-2. Telecom Management by Exception Network Maps

Despite the usefulness of scanners and telecom-based network maps, these were pretty naïve

in their simplified analysis of the network. The security industry realized during this era that

new tools were needed to provide a more complete and accurate view of network topology,

inventory and connected devices that would be more security-oriented and able to assist in

protecting such complex networks.

Emerging-Generation Network Blueprints

The current emerging generation of network security work is arriving at the collective

conclusion that enterprise protection teams need a so-called network blueprint. This is a

common-sense demand, and one that will hopefully find its way into the compliance and

assessment communities, where audits would be considered incomplete if evidence of network

visibility is not provided.

The functional requirements that should be supported by any commercial or open-source

network blueprint solution to support cybersecurity protection on a network should include the

following three major areas:

  • Traffic Collection and Analysis. An accurate blueprint for a network depends on the collection of traffic for review and analysis. This should be able to cope with exponentially growing data volume sizes and will benefit from new approaches to collecting traffic without the use of appliances and solid analytic tools.

  • Network Visibility and Mapping. The visibility and mapping process is essential to rendering a blueprint that will be useful for interpretation by human experts. It can run queries and reports on the network, as well as be processed by automated tools.

  • Threat Prediction and Prevention. By matching network behavior to its derived blueprint, the solution will provide sufficient guidance and insight to predict and prevent threats from occurring on or across the network infrastructure.

Obviously, network security engineers will integrate other available data about a network

including addressing, routing, and other static information to enhance the context of the

network blueprint. The innovation here—as will be shown in the next blog on commercial

cybersecurity vendor Cynamics—is that advances in machine learning and deep learning

technologies offer the most useful, comprehensive insights into the development of the

network blueprint.

About TAG Cyber

TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights

and recommendations to security solution providers and Fortune 100 enterprises. Founded in

2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-

for-play research by offering in-depth research, market analysis, consulting, and personalized

content based on hundreds of engagements with clients and non-clients alike—all from a

former practitioner perspective.  

Copyright © 2022 TAG Cyber LLC. This report may not be reproduced, distributed, or shared without TAG Cyber’s written

permission. The material in this report is comprised of the opinions of the TAG Cyber analysts and is not to be interpreted as

consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy, or completeness of this report are disclaimed herein


Dr. Edward Amoroso

TAG Cyber, CEO

October 19, 2022


bottom of page