Common aphorisms heard each day in the cybersecurity industry will vary in their accuracy about our real challenges. For example, the oft-heard saying that “people are the real problem in cyber,” expresses the accurate situation where bad decisions by individuals can have real consequences on a network's health and its assets. But the saying also can be criticized for blaming users for badly designed systems. So “sayings” can be uneven in their usefulness.
One aphorism that does provide an accurate view, however, is the claim that “you cannot
secure what you cannot see.” This saying expresses the highly accurate situation where
network visibility serves as one of the most foundational aspects of modern cybersecurity. This
is true for information technology (IT) security teams with bad inventory or a lack of updated
architecture, and it is also true for network security teams with weak data, information, and
insights into their network.
What is Network Visibility?
The earliest attempts to understand networks came from the academic community in the form
of conceptual layered models. The familiar OSI model, for example, has helped network
engineers make sense of network operations from low-level hardware up through seven
successively abstract layers. This is the origin of references to so-called layer 3 packet-level and
layer 7 application-level networks.
These abstract models certainly help but are not operational enough. Therefore, network
security engineers have learned that visibility must come in the form of several practical views.
These have come mostly from practical experience dealing with network issues, incidents, and
attacks, and they are offered in the context of a different sort of taxonomy than OSI.
Specifically, networks today come in three different infrastructure deployment models:
On-Premise Networks. The salient aspect of an on-premise network is that the boundary of the network is defined by the enterprise. This has traditionally been done with a physical perimeter comprised of physical routers, firewalls and switches, but the equivalent can be accomplished virtually using software-defined firewalls. Creating visibility into an on-premise network is easier than cloud and hybrid alternatives, but it does carry other risks (e.g., insiders, east-west, lateral traversal, etc.)
Cloud Network. A cloud network is one that includes data and control plane support from a publicly accessible cloud infrastructure, such as the three major cloud-providers: AWS (Amazon Web Services), Microsoft's Azure and GCP (Google Cloud Platform. The industry often refers to such a network as a secure access service edge (SASE) configuration, but other designations exist such as a cloud-first network. Visibility into cloud networks requires specialized platforms that can delineate topology and virtual boundaries.
Hybrid Networks. A hybrid network, as its name implies, combines aspects of on- premise networks with cloud-based data and control planes. This type of arrangement is the most commonly found topology and includes the selective use of public cloud infrastructure, as well as software as a service (SaaS)-hosted applications, private data center hosted applications and on-premise workloads. Visibility here also requires special platforms and is usually considered the hardest among the three deployment models, as solutions usually specialize either in on-premise or cloud, but not both.
Figure 1-2. Three Modern Network Arrangements
Visibility into these networks must enable five different capabilities. These include: device-level
identification; analysis support for network activity and running queries and reports on the
network; alerting on anomalous behaviors; prediction capability to prevent threats and provide
detailed, root-cause analysis of these threats; and the development of insight to enable
optimal network management decisions. Such security capabilities must integrate with the day-
to-day network monitoring and administrative tasks performed to maintain network
infrastructure and services.
What Does Network Visibility Enable?
The ability to provide visibility into a network to support cybersecurity objectives has many
valuable implications for enterprise teams. These advantages will vary based on the local
context. For example, a network service provider will use visibility as a business differentiator
with its customers, whereas a bank will rely on visibility solely to reduce operational and
security risks. Nevertheless, the following advantages commonly result from network visibility:
Network Deployment Risk. Establishing visibility is a natural prerequisite to any network deployment activity. These include adding new nodes, connecting new devices, or making changes to routing, naming, or other network attributes. The idea of having visibility into a network before a meaningful change is made would seem to be based on pure common sense to any practical engineer—and yet it is often not done in many cases, due to the extreme challenge of having visibility into today’s complex, complicated networks.
Identification and Remediation of Vulnerabilities. The security task of identifying and remediating vulnerabilities in network devices and infrastructure benefits directly by having accurate and complete topological information. Without such visibility, it becomes difficult and even impossible, to find errors in configuration files, incorrect routes in network segments, ports that are left open, and unallowed communications, to name a few. As the network grows in size, data volume, and architectural complexity, these tasks become increasingly impossible.
Coverage of Network Entry and Exit Points. The most essential task for network security engineers involves understanding what data and access are allowed into the network, as well as what data and access can be directed outside the network. Equally important, these behaviors should be verified against their set of expected and allowed policies. Such entry and exit points define the paths an adversary can take to break into, and exit out of, a network for the purpose of a cyberattack and are referred to as “the network attack surface.” Security engineers want to minimize this surface as much as possible, without affecting the day-to-day network activities that are necessary for business operations.
These benefits should not be viewed as controversial in any way; all are based on common-
sense engineering principles. For this reason, TAG Cyber strongly recommends that security
teams demand a platform that provides essential control—namely, the creation of an
accurate and complete network blueprint. The next blog will address this important new
About TAG Cyber
TAG Cyber is a trusted cyber security research analyst firm, providing unbiased industry insights
and recommendations to security solution providers and Fortune 100 enterprises. Founded in
2016 by Dr. Edward Amoroso, former SVP/CSO of AT&T, the company bucks the trend of pay-
for-play research by offering in-depth research, market analysis, consulting, and personalized
content based on hundreds of engagements with clients and non-clients alike—all from a
former practitioner perspective.
Copyright © 2022 TAG Cyber LLC. This report may not be reproduced, distributed, or shared without TAG Cyber’s written
permission. The material in this report is comprised of the opinions of the TAG Cyber analysts and is not to be interpreted as
consisting of factual assertions. All warranties regarding the correctness, usefulness, accuracy, or completeness of this report
are disclaimed herein.
Dr. Edward Amoroso
TAG Cyber, CEO
October 3, 2022