I must confess, there was just the slightest sense of schadenfreude when I first heard of the Solarwinds hack. I mean, Solarwinds are a behemoth in the network performance monitoring space and a competitor to boot – so the idea that they had suffered a significant breach that effected a bunch of major Government Departments, as well as potentially over 400 of the Fortune 500 organisations in the USA, was initially quite tantalising.
But on reflection, this breach does no good to anyone (except perhaps the malicious actors responsible). As a software vendor, Solarwinds have an wide portfolio of excellent network performance monitoring products. As a competitor, Solarwinds would hardly recognise a smaller player like Byte25 as a threat. But as a Solarwinds customer, many must be scratching their heads as to how exactly a ‘monitoring’ company failed to ‘monitor’ the activity that brought about the breach in the first place.
And here lies the enormous irony. Solarwinds are market leaders in the network performance monitoring space, a task they perform very well. And whilst there are a few security products in their portfolio, their predominant focus is on network performance monitoring and network management. And yet, even with the best network monitoring tools, they were still unable to detect the very network activity that caused the breach in the first place.
Customers deserve better than this. Modern network performance monitoring tools should go beyond the traditional metrics of throughput and latency to embrace the growing cyber needs of organisations. Certainly I am not suggesting that performance monitoring tools can replace existing deep dive cyber tools like vulnerability scanning or log analysis via SIEM systems, but I am definitely advocating that performance monitoring tools can, and should, play a more proactive part in identification and remediation of cyber security threats that traverse the network.
In short we need to move beyond network performance monitoring to a new discipline of ‘network visibility’ that encompasses aspects of cyber security. At a minimum we should be correlating network flow information from deep packet inspection engines with that of intrusion detection systems to provide deeper insight into security events. But further, the implementation of machine learning and anomaly detection to identify outlying events, such as hosts communicating with malicious command & control servers as is the case with the Solarwinds breach.
Network visibility is by no means a panacea, but it is a step in the right direction to maintaining network integrity for our customers. Coupling network performance monitoring with cyber security to build network visibility tools is an excellent starting point and the primary focus for the Byte25 roadmap. We will hopefully see other more agile network performance monitoring vendors start to embrace this philosophy to help keep their customers safe.