“Appropriate security controls should be identified and implemented in a virtualized environment that provide the same level and depth of security as can be achieved in a physical environment.”

Much of the requisite security technology is not in the virtualized environment. In addition, security analysis done exclusively in the virtualized environment may not provide the holistic view you require to detect sophisticated attacks.

Automated Responses for Active, Adaptive, Proactive Monitoring

A network visibility architecture can quickly turn a passive monitoring infrastructure into an active, adaptive, and proactive visibility and security solution. Security professionals and network engineers can set pre-defined triggers in their performance and security monitoring tools to raise flags and address immediate threat issues.

With a well-integrated visibility solution, these performance and security monitoring tools can be set to immediately kick off a secondary set of capture, analysis and correlation, as well as inspection action sets based on the individual pre-defined triggers. These automated response actions make the overall integrated visibility infrastructure or architecture more powerful and useful than the combination of the individual components.

Examples of these automated responses based on pre-defined events or data triggers include, but are not be limited to:

• Automated security event responses that accelerate security anomaly remediation
  
  • This includes automated security actions such as directing questionable traffic flows to forensics recorders, IDS or DLP devices or honeypots.
• Automated network event responses that reduce root cause diagnosis to hours
  
  • This includes automated NPM and APM actions that direct traffic to forensics recorders for quick diagnosis.
• Automated sampling activities that reduce IT workload and increase effectiveness
  
  • This includes automating repetitive and routine tasks like capturing periodic snapshots for SLA and compliance sampling.
• Automatically mitigating tool outages or congestion that cut blind spots and maximize capacity
  • This includes the creation of tools thresholds and capacity load balancing that prevents over-subscription and possible failure impacts.

Speeding Incident Remediation

When used with SIEM tools, a visibility solution provides dynamic incident remediation. It will automatically capture packets from security events identified by the SIEM, speeding root cause analysis, eliminating time-consuming manual steps, and simplifying compliance.

A visibility architecture’s automation capability complements a SIEM’s ability to detect, analyze, and respond to security threats. When SIEM tools detect an anomaly, it automatically sends the right traffic to a forensic recorder or other security probe. Incident remediation begins the instant an anomaly occurs with the benefit of having the required packet information.

Forensic recorders, malware protection systems, and data loss prevention appliances are only as useful as the data they receive. When you automate data center monitoring, the right traffic is sent to the right monitoring tool at the right time. Threats are resolved effectively and quickly with the right packet information, leveraging fully existing forensic recorder and security appliance investments.

Reducing the Security Risk of Sensitive Data

A key concern for security professionals is the sensitivity of data being monitored, typically for GRC or privacy reasons. Handling sensitive personal information (SPI) is an emerging issue.

With copies of packets generated and transported across the monitoring network for analysis purposes, another attack avenue is opened (even if the data never leaves the organization). Insider threats are real and can be very expensive.