I had the opportunity to visit several companies over the years and in many cases I could verify that their network and security teams suffered of a lack of network visibility, which let them unable to answer some important questions, per example:
What's the average traffic in the network?
What's the most used applications?
Who are the top talkers?
There are unknown applications running in the network?
Why there are non HTTP traffic on TCP port 80 going out of the network?
Many teams don't know the answers from the questions above and certainly, this make them blind to what's going on in their networks.
The landscape has changed. We can't simply rely on our traditional security tools to track it for us. Because they focus on the known. And many threats are far from it.
They're small. Targeted. Hard to detect. Well developed.
I'll ask you a simple question:
How many viruses were sent to your users today? By any means. 1, 10, 100?
Can you measure that?
Probably yes, you'll say. I can generate a report from my anti virus solutions and show it to you.
And what about the viruses that your solutions aren't aware of?
Tough question...
Hard answer...
The first step to answer it is to admit one thing.
Our security solutions are pretty good. They really are. But they can't protect us from every single exploit/malware/virus and other kind of attacks.
So, we must assume that we are under attack, we were attacked or will be.
And if we can't prevent every attack to reach our network, we shall respond to it. Quickly.
How to do that?
Focusing on everything.
Understanding how our network works, and them look for the strange behaviors.
Why there are so many network activity after work hours?
Why do we have outgoing traffic going out to uncommon countries or sites?
Why people is downloading pdf with flash content embebbed?
Those questions are just the beginning, and if you know the answers for them, congratulations. You're doing great!
If not, it's time to look for them.
Best Regards