SASE, multicloud spur greater collaboration between network and security teams

Network teams and cybersecurity teams are collaborating more and more, we’ve found in our research at Enterprise Management Associates (EMA).

 We explored this issue most recently in our report, “NetSecOps: Examining How Network and Security Teams Collaborate for a Better Digital Future.” Among 304 IT professionals surveyed, 84% of organizations have seen the amount of collaboration between these groups increase in recent years. As one network engineering manager at a midmarket business services company described it: “We’ve always had a push for network and security to work together. We have regular meetings with them to go through any changes. We look at any tools they are considering and any testing they are doing.”

This collaboration is especially active in enterprises that are engaged with secure access service edge (SASE) technology and multicloud architecture, EMA has determined.

SASE converges network and security solutions into an integrated architecture, so it makes sense that these groups would come together to implement and operationalize it. Multicloud adds significant complexity to networking and security at a time when both these groups are fighting to regain influence and control over cloud strategy. EMA believes that strong collaboration between the two groups can help both gain more credibility in the cloud.

Bridging NetSecOps with tooling

It’s not always easy for network and security teams to work together. They have different missions, different skillsets, and different tools. On the networking side of things, a network operations tool that provides security insights can be helpful for bridging that divide.

EMA asked research participants if they had a network performance management (NPM) tool that offered security insights. More than 86% said yes. Among those organizations who get such insights from their tools, 91% said these security insights are at least somewhat valuable.

Also, in 58% of organizations, both network and security personnel engage with those security insights, which indicates that these tools are providing value across silos. This is notable because it demonstrates that skills gaps are not preventing the security team from getting valuable information from NPM tools. It also suggests that network teams are building bridges with security teams by offering them useful information.

NPM tools offer security insights

EMA asked research participants to identify the most valuable security insights available in their NPM tools today. More than half (52%) told us that network detection and response (NDR) or network traffic analysis (NTA) insights were delivering significant value. NDR and NTA technology monitors network traffic (packet data or network flow records) for anomalous or suspicious behavior. These technologies leverage machine learning and behavioral analytics rather than threat data and malware signatures, allowing for the detection of previously unidentified threats and attack methods. The prevalence of NDR and NTA insights in NPM tools is not surprising, given that most NPM vendors have introduced modules or products over the last five years that focus on these capabilities. These capabilities can serve as a frontline cybersecurity monitoring solution, or network teams can offer it to the security team as a supplemental view into traffic.

More than 43% or research participants told EMA that it’s useful to get health and performance reporting on network security infrastructure from their NPM tools. Network and security personnel can infer several things from this type of reporting. For instance, visibility into anomalous spikes in traffic hitting a network security appliance could indicate an attack. More importantly, overall insight into network security device state can ensure that security controls are performing as expected and not impacting applications and user experience. “We have some traffic monitoring tools that the security team is sometimes interested in using to troubleshoot the performance of their hardware,” a network engineering director at a Fortune 500 healthcare company told EMA. “For instance, is the firewall introducing issues?”

Additionally, 40% of IT professionals believe that it’s valuable for an NPM tool to be able to correlate abnormal network health and performance telemetry with indicators of compromise or suspicious behavior. This insight can help security teams with their investigations of suspect activity by adding context.

Finally, 32% of organizations see value from an NPM tool’s ability to conduct inventory assessments. Such tools will compare network device inventory data with product security vulnerability reports from their networking vendors, such as product security response team (PSIRT) alerts. This feature allows network teams to identify potential product vulnerabilities on their network and install patches and software updates to close them. This feature improves the network team’s ability to comply with an organization’s cybersecurity policies and standards. Organizations that have the most success with network and security team collaboration were more likely to identify inventory assessments as a valuable security feature in an NPM tool.

EMA’s advice

If your network team is trying to improve how it works with the security team, a strong NPM tool might be a good foundation for getting started. EMA recommends that you explore the security insights that your network monitoring vendors offer. Even good visibility into the health and performance of firewalls can help bridge the collaboration gap.

If you’d like to learn more about EMA’s research on this topic, check out EMA’s free, on-demand webinar that highlights our NetSecOps report findings.