Before your security team can apply protection, however, countering lack of visibility is a must.
1. Asset discovery
It goes without saying that discovering all assets in an organization’s cloud(s) and on-premises data center(s) is a crucial first step before being able to understand east-west traffic patterns. Organizations should implement an automated discovery tool to learn the extent of data present, the state of systems on the network, and what controls are in place to protect data/systems and alert on potentially malicious traffic.
2. Network communication mapping
After you’ve inventoried your networks, the next step is learning which assets are communicating (dormant assets rarely facilitate an attack), how they’re communicating (e.g., typical patterns of communication, amount of data sent/received in a given time period, etc.), and with which other resources they’re communicating. Visualizing the current state of the network helps security and operations teams better understand the network attack surface — which systems have the most sensitive data and which ones are therefore most likely to be targeted by certain types of cyber criminals.
3. Build and monitor baselines
The purpose of mapping network communications is to understand the what and how. Mapping, in turn, allows the organization to build and monitor baselines of normal activity, which helps quickly surface anomalies (e.g., when a database is suddenly sending 10X the amount of data it typically does; when a host is requesting a connection to a server it’s never communicated with before). It’s these baselines—which should be evaluated regularly to determine if “normal” has changed—that will provide you the visibility into risks associated with communicating data, applications, and users on your network, which will then guide your overall network security strategy.