Our Solution
Back
OUR SOLUTION
Capabilities
Predict, prevent, detect, and respond
How It Works
People, platform, and process
Use Cases
By threat, environment, or industry
Talk to a Cybersecurity Advisor
See how we deliver managed threat protection
WHY NETSURION
Back
WHY NETSURION
Key Business Benefits
Powerful yet practical cybersecurity
Industry Leadership
Perennial recognition for innovation
Customer Success
Driven to be your trusted partner
Partners
Back
PARTNER PROGRAM OVERVIEW
Partner Program Benefits
Our solutions are built for service providers
Become a Partner
Grow your cybersecurity practice
Insights
Back
VIEW ALL INSIGHTS
Articles
Read the latest from our blog
SOC Catch of the Day
Real stories of threats we reel in daily
Cybersecurity Q&A Videos
Answering your toughest cybersecurity queries
Webcasts & Events
Join us in-person or online to learn more
Company
Back
MEET NETSURION
Leadership
Meet our management team
News
Press releases and news stories
Careers
Check out our current openings
Contact Us
Talks to sales or support
MyNetsurion
Support
Partner Portal
Contact Us
Host-based Versus Network-based Security
Home
Insights
Articles
Host-based Versus Network-based Security
4 min read
The argThe argument is an old one; are you better off with a network-based detector, assuming all hosts will eventually communicate, or should you look at each host to determine what they are up to?ument is an old one; are you better off with a network-based detector, assuming all hosts will eventually communicate, or should you look at each host to determine what they are up to?
Over five years ago, the network was far simpler. There was a clear perimeter – us versus them, if you will. You could examine all traffic at the egress point (so-called North/South traffic) for potentially hostile patterns while pretty much ignoring local traffic (so-called called East/West traffic) as usually benign. This is usually done with the help of attack signatures which are updated periodically. In other words, classic network-based, signature-driven detection.
This applied to firewalls. You could be network-based and/or have one for each host. The attraction of the network-based firewall is simplicity; one device to deploy and manage versus the hassle of configuring one firewall per host. Notice that this depends on the traditional (simple) network with a clear us/them perimeter. But that is a pretty simple, traditional model that is vanishing fast. Applications are moving to the cloud and the perimeter is porous. You pretty much need a micro-fortress around a host or location.
So, what arguments are the network-based passive monitoring solutions making for themselves? And how do they stack up against a
host-based managed solution
? Let me count the ways…
Claim
Response
Passive network monitoring has no impact on endpoint performance
A well-designed, user-space host-based solution has virtually no impact on the endpoint
A network-based solution is transparent to system users
The host-based sensor runs as a service and is also invisible to users
Network monitoring is invisible to attackers
Insiders know of its existence because they have access to the network diagram; every external attacker assumes that network traffic is being monitored and seeks to be stealthy
Network-based monitoring can listen to all endpoints, regardless of type; no specific sensor is needed
A host-based sensor must be provided for each endpoint type; the common ones are Windows and Linux
Passive network monitoring devices are easy to install
When host-based sensors are provided as a managed service, they are also simple to install
When monitoring at the egress point only, endpoints can move or be added with no extra effort
Endpoints are usually not added/moved randomly, but through a defined process; extending this process to accommodate sensor deployment is no more work than deploying patches or anti-virus
And then here are challenges with network based monitoring…
Challenge
Problem
Network-based signatures are always out-of-date or lagging
Zero-day attacks are not detected, maybe worse; detection is limited to attacks with signatures only
Packet inspection is blind to encrypted traffic
North/south network traffic is
increasingly encrypted
Packet inspection is hard to scale as network speeds increase
OTOH host-based approaches scale neatly both up
and
down;
we're going to need a bigger boat
Network monitors can’t handle switched networks; it requires span ports
Now you need span ports, more hardware, and networking skills
Network monitors usually can only see north/south traffic
Insider threat, anyone? Remember Nyety? It spread laterally. Here’s an article about
how to detect
.
Network monitoring is blind to host activity; new processes, removable media
Remember
Edward Snowden
?
Network monitoring does no log collection; therefore, it can’t meet compliance requirements
PCI-DSS, NIST 800-171, and all other compliance standards mandate log collection and retention for 1+ years to be able to perform forensics
And now, the advantages of a host-based solution…
Advantage of a Host-based Solution
Collect audit trail; meets compliance needs
Develop detailed understanding of user behavior; fight insider attacks
Scales well; no single choke point
Detect subtle patterns of misuse which can’t be seen at a higher layer (first-time-seen, zero day)
Effective for encrypted traffic as well
Sees all actions including east/west
Effective against removable media
Works even in switched networks
And to be fair, how to address the challenges…
Challenge
Response
Sensor deployment to nodes
Our solution
is a managed service; leave the deployment/configuration to us
Sensor can impact node performance
The EventTracker Windows sensor consumes 0.1% of memory/CPU resources and 0.001% network bandwidth
Adding nodes means adding sensors
It’s no more complicated than deploying anti-virus
Can’t see all network traffic; only those where a sensor is installed
The next-gen firewall you already paid for does see this traffic; we get all of its logs, so why duplicate effort/cost
Sensor must be available for chosen platform
An EventTracker endpoint sensor is available for Windows, Linux, AS/400, and IBM iSeries
Don't bring a knife to a gunfight. Passive network monitoring may be attractive because of deployment simplicity, and the fit and forget promise, but it is not capable of solving today's network security ad compliance challenges.
2023 MDR Buyer’s Guide
Download the Whitepaper
Related Articles
10 min read
Navigating Your Managed Cybersecurity Options
5 min read
Incident Response: Whose Job is It?
7 min read
Six Proactive Steps to Expand Attack Surface Coverage