Updated: Oct 19
Any engineer knows the value of a blueprint. Originally named in the context of
reproduction—the old blueprinting process would result in white lines on a blue
background—the term is used in modern contexts as a reference to technical and engineering drawings. More specifically, a blueprint generally provides detailed specifications of how a given system, object, or complex structure has been planned, designed, organized, and
implemented as architecture.
As such, it should come as no surprise that enterprise security experts would come to
acknowledge the obvious benefits of having a blueprint for the network they are tasked to
protect. Nevertheless, the goal has been elusive, and rather than existing as a routine aspect of
any security program, many—perhaps most, if not all—security teams operate without a
detailed blueprint of their network infrastructure and attached devices. The main reason is
increasing network complexity, as today’s networks are becoming extremely complicated in
terms of size and architecture.
In this blog, we suggest three generations of industry attempts at creating something akin to a
network blueprint for the purpose of cybersecurity. These generations begin with efforts done
manually and informally, continue through early attempts at automation, and have now arrived
at the present generation, where an accurate blueprint can be developed thanks to
advancements in machine learning and deep learning technologies, as evidenced by
commercial vendors such as Cynamics.
Early Generation Manual Network Drawings
The earliest generation of network specifications involved informal attempts at creating
drawings of the topological, architectural and organizational aspects of a given network. During
these early days in the 1980s and 1990s, network engineers would invest significant time in
sketching these network drawings based on information extracted from a manual analysis of
routing configuration files, device address information, and visible evidence of how the network
While automation certainly existed to assist with the set-up and administration of routing,
these early drawings were rarely helpful from a security perspective. The good news was that
early networks were much more “compact,” i.e., smaller and simpler, than today and were
often clearly delineated by firewall gateways. In fact, throughout this time, many enterprise
networks might have been running a protocol such as IPX that was out-of-band with IP-based
attacks from the Internet.
Mid-Generation Automated Network Tools
In the 2000s and 2010s, enterprise security teams began to gain access to automated tools that
provided schematics of networks. These tools ranged from creative platforms that tried to
visualize the complex connectivity of a network to more tactical solutions that tried to provide
network vulnerability management capabilities. One particularly creative solution emerged
from Bill Cheswick and Hal Burch, engineers at Bell Labs who visualized networks as lovely
pieces of art.
Figure 3-1. Older Creative Network Schematic Art (The Internet)
During this time, however, it became obvious that security engineers needed something more
than a visually attractive artistic representation; they needed something that would provide
meaningful operational value. Network scanners during this period tried to fill the gap, often
pulling ideas from sectors such as telecommunications, where network maps had been used for
years to perform network asset discovery and management. In such cases, routes would be
visually lit where some performance or security issue emerged to help dictate action.
Figure 3-2. Telecom Management by Exception Network Maps
Despite the usefulness of scanners and telecom-based network maps, these were pretty naïve
in their simplified analysis of the network. The security industry realized during this era that
new tools were needed to provide a more complete and accurate view of network topology,
inventory and connected devices that would be more security-oriented and able to assist in
protecting such complex networks.
Emerging-Generation Network Blueprints
The current emerging generation of network security work is arriving at the collective
conclusion that enterprise protection teams need a so-called network blueprint. This is a
common-sense demand, and one that will hopefully find its way into the compliance and
assessment communities, where audits would be considered incomplete if evidence of network
visibility is not provided.
The functional requirements that should be supported by any commercial or open-source
network blueprint solution to support cybersecurity protection on a network should include the
following three major areas:
Traffic Collection and Analysis. An accurate blueprint for a network depends on the collection of traffic for review and analysis. This should be able to cope with exponentially growing data volume sizes and will benefit from new approaches to collecting traffic without the use of appliances and solid analytic tools.
Network Visibility and Mapping. The visibility and mapping process is essential to rendering a blueprint that will be useful for interpretation by human experts. It can run queries and reports on the network, as well as be processed by automated tools.
Threat Prediction and Prevention. By matching network behavior to its derived blueprint, the solution will provide sufficient guidance and insight to predict and prevent threats from occurring on or across the network infrastructure.
Obviously, network security engineers will integrate other available data about a network
including addressing, routing, and other static information to enhance the context of the
network blueprint. The innovation here—as will be shown in the next blog on commercial
cybersecurity vendor Cynamics—is that advances in machine learning and deep learning
technologies offer the most useful, comprehensive insights into the development of the