First there was the network operations center – NOC. Then someone decided that security functions should have their own home, so the security operations center – SOC – started to evolve. There is one big problem in today's networks, though. Modern networks are very large and tend to have fuzzy perimeters. Modern attackers focus on blended threats, which means that detection and interdiction are becoming increasingly difficult.
Because of these developments in both network architectures and attack technologies, much of the information that is needed by information security analysts is developed by the network engineers and, conversely, the NOC engineers need to know when a security incident may be causing network anomalies.
An example of that is a SQL Slammer attack I worked on a few years back. The Slammer worm generates pseudo-random target addresses and in a confined network it can take quite a while to generate the first useful address. However, since the worm uses User Datagram Protocol (UDP) packets, an increasingly large number of Internet Control Message Protocol (ICMP) return packets – address or port unreachable – are generated as the worm tries to find addresses/ports to infect. The NOC saw that increase, but did not give it the importance that the SOC might have.
So, today, there is quite a bit to be said for combining some NOC and SOC resources. That is where AccelOps enters the picture, because that is exactly what their latest product does. AccelOps v1.6 combines most of the analysis functions needed to manage the network with those needed to manage network security. The product can be delivered as a virtual appliance or provided as an SaaS offering. When provided as SaaS, the only thing at the premises is a collector that gathers information from the network and feeds it back to the analyzer for analysis and reporting.
The idea behind AccelOps is that in today's networks, everything – including most attacks – happens at the protocol level, so it makes sense that packet analysis is as important to network performance as it is for network security, The AccelOps product is not just a monitor of monitors, though. It is, in its own right, a legitimate analysis tool that covers a very broad range of protocols and devices.
Architecturally, AccelOps can view network behavior from the bottom up (incoming data) or from the top down (services). This allows discovery and correlation of incoming data, much the way a SIEM works, while at the same time providing a view into the various business services on the network. The result is that the audience for this tool is as broad as its abilities.
At the executive management level, business alignment information helps executives make tough decisions. At the operations and engineering level, data that helps manage and protect the network is available – along with appropriate reporting at both ends of the user spectrum. Of course, in order to take advantage of this breadth of capability, appropriate analysis tools need to be available, as well as compliance-driven reporting. All of that is part of the product.
Other nice features include automated discovery and network mapping, change management availability and performance management. To help you get started with this powerful device, there are over 700 pre-packaged reports and 400 rules available right out of the box. The product is policy-driven, so this suite of pre-defined rules and reports allows rapid customization.
Drill-down allows views into the original source of data. So, for example, selecting a device – such as a switch – and drilling down will show the device's configuration. The level of detail and comprehensive information is as good as anything I've seen, and it's better than most.
Another capability that I especially like is the ability to analyze the aftermath of a security incident. Since many incidents have a direct affect on the network, it is useful to collect as much data as possible during the incident. AccelOps does this and lets you see those results in a way that makes it easy to put them in context.
The product does not sit inline and is a monitor only. In that regard, it is a solid monitoring tool and it does not present a bottleneck in network performance. In order to address users of all levels, the product sports a very useful, if a bit crowded, dashboard. Pricing is reasonable for mid-sized and larger companies. With both SaaS and virtual appliance delivery models, this powerful tool can fit into just about any architecture. However, the product really shines when it is managing a virtual/cloud environment.If you have a medium-to-large network to manage, this one is worth looking at. But when you do, bring both your network and security engineers because it has powerful capabilities to support both. – Peter Stephenson