I can’t tell you how many calls I’ve been on where the NetOps and SecOps teams really don’t know what the other is doing. Sadly, in today’s remote-work-centric world, the relationship between the two teams has become vital in making sure the end users not only have the resources they need, but at the same time, making sure everything is safe and up to compliance requirements.
One of the new features of Plixer’s new Network Intelligence and Security Intelligence modules is the ability to create report collections. With this function, both teams can provide an intelligent and guided method of passing along investigation information to their team or other teams within the company.
So what’s the value? The best way to explain is to demonstrate the workflow. In this example, we have Jim. Jim is super intelligent, handsome, and an essential part of the NetOps team. One day, he looks at the alarm under Scrutinizer’s alarm monitor and sees something suspicious. Jim, being Jim, is brushing up on his SecOps skills and knows that this needs further investigation but doesn’t have the knowledge or resources to determine if this is a threat or not. Jim needs to escalate the issue.
Step 1: NetOps sees a suspicious login alert in their alarm monitor
In this situation, Jim was investigating another alert that Scrutinizer brought to his attention. While digging around, he saw an uptick in the Audit Access Alarm. Normally, this isn’t something that he takes care of, but he decided to dig a bit further.
First he saw that there where 3941 violations that were marked as critical. Since that was a flag, he clicked on them. This action filters the alarms to show you all that are critical. Under the policy list, he saw “Audit Access.” This isn’t something that he normally deals, with but being the aspiring security engineer, he decided to dig further and sees “alarmSeverity” in the violations timeline. From the timeline, he can see some activity, but nothing out of the ordinary. The larger areas on the timeline represent the number of hits during that time period. Again, things looked normal.
Under the Alarm Policy screen, you get a quick snapshot of all the hosts involved with that policy violation—specifically Top Violators and Top IP groups. Top IP groups was where the issue was in this example, because Jim saw an unauthorized group in the list.
Jim needed to dig down a bit further, so he clicked on alarmSeverity and could clearly see that the 192 address was flagged. Again, this IP shouldn’t be on this network at all, let alone accessing Scrutinizer.
The next step was to learn a little bit more about what this host was doing. Jim quickly clicked on the host and was brought to the host report screen. Here you can see things like the host’s Activity Timeline, as well as Top Alarms and Top Applications for that specific host. Jim wanted to see in detail what applications were involved, so he clicked on the report’s icon in the right-hand side of the Top Applications gadget. This brought up a Conversations report already filtered to that host and showing what applications were being used.
He then switched the report over to Pairs > Host to Host to see who that IP was talking to. After reviewing the conversation data from the past 24 hours, Jim could quickly see that this required deeper investigation and he needed to escalate this to his buddy Stu on the SecOps team.
Step 2. Add the info to a Collection and send it off to SecOps
In the past, Jim would have had to export each report and send the information over to SecOps for further investigation. The process was a hassle and the SecOps team wanted nothing to do with it. Well, today we have the collections feature and Jim was the first to take advantage of it.
As Jim dug deeper into this mystery, he made sure to add each report to a collection titled “Stu.” Because the collection engine is integrated with ServiceNow, a ticket would be issued and Stu would be assigned.
Now when Stu logs in, he is not only presented with the abnormality that Jim found along with the supporting conversation data, but he will also have all the notes that Jim took during his investigation. Although the two different teams look at things in different ways, they can leverage the same data and save a lot of time.
In today’s ever-changing world, we face an increased number of remote employees. Making sure that both your NetOps and SecOps teams have the data necessary to quickly investigate issues on your network a top priority. Are you looking for conversation-rich visibility along with the flexibility to integrate that data into your current environment and share across departments? Why not evaluate Scrutinizer?