Effective network visibility and security relies on data enrichment. That is, correlating data from multiple sources to identify relationships between network elements to produce a wholistic view of user activity.
Flow based monitoring solutions are widespread, but in reality present a very narrow view of network visibility. Sure they can identify which IP addresses are generating traffic or which applications are contributing to bandwidth, but often fall short in providing visibility from a user or security perspective.
So just how can we achieve data enrichment for user visibility and security? A good starting point is to leverage data from different sources such as vulnerability management solutions or IDS systems (more on this later), but an oft overlooked rich source of data enrichment already exists within the network. We typically ignore it because it is too difficult to harvest.
I am talking about edge monitoring – detailed monitoring and data collection from within each broadcast domain. Broadcast domain monitoring is usually ignored as it requires devices to be installed in each broadcast domain and as such, is expensive, especially in large enterprise networks.
The solution lies in a coupling of two technologies, the Internet of Things (IoT) and data extraction via deep packet inspection. The last few years has seen a huge growth in low cost , high powered IoT devices that provide the perfect platform for edge monitoring. Dabble have leveraged this IoT technology to product Bluecast – a low cost, low maintenance, zero configuration device capable of extracting data from the edge.
The IoT component is clear, but what do I mean by data extraction via deep packet inspection? Well let’s first take a look at what happens at the edge, what happens only within the broadcast domain. If you ever have occasion to look at the output of a packet analyser in a broadcast domain (like for example when you run Wireshark on a pubic WiFi network like the airport), you will notice that network attached devices love to talk to each other.
As soon as you connect, your laptop announces it’s presence and introduces itself to the rest of the broadcast domain (including it’s identity) and subsequently receives replies from a range of other sources with a plethora of information like gateway addresses, media servers, access points, DNS Servers and so on … and that is just at a network level. Applications such as Skype, Dropbox, WhatsApp and many, many more also broadcast their intentions, identification and configuration.
Data extraction via deep packet inspection simply harvests this publically available information that is usually constrained within each broadcast domain to use a source of data enrichment providing a higher level of visibility for security and user centric monitoring.