In my work as a Technical Solution Architect with a background in digital experience monitoring (DEM) and security, I get this question a lot: Now that I’ve invested in DEM, can this technology help my organization improve its security posture?
Time to shed some light on that subject. This blog is not intended to give a deep dive into all configuration possibilities in the ThousandEyes platform, but it is more of an overview of what to think about when deploying digital experience monitoring with security in mind.
Before we can get into the “what” and “how” of DEM for security, let's first look at what security actually is. This alone can be fuel for a lot of debate, but I’ll stick to the C.I.A. triad: Protecting Confidentiality, Integrity, and Availability.
The C.I.A. triad can be implemented only if you have visibility. Because you can’t control what you can’t see, it stands to reason that you can’t deliver digital experience if you can’t measure it.
Applicability
This blog is applicable to publishing services on the Internet. Be it your corporate website, an e-banking portal or an e-business API, you are responsible for the confidentiality, integrity and availability of that service. I still notice that when publishing services, many people don’t feel a responsibility beyond their own perimeter; “If my lights are green, I’m happy,” is a common sentiment.
That statement is not really valid anymore (if it ever was). Regardless of who owns the infrastructure, you are still responsible for the experience your users and customers have. In today’s hyper-competitive market, saying “The Internet was down,” isn’t a valid excuse for service impairments.
Availability
The first leg of the triad to where DEM comes in is “availability.” Making sure that services can be accessed by authorized parties. The big question is: When is a service, and thus data, actually available? We established that an internal-only view isn’t enough anymore, so what do we really need?
Availability online often starts with the Domain Name System (DNS) translating a user-friendly URL like www.thousandeyes.com to an IP address like 2600:9000:2182:6c00:1f:b7eb:e340:93a1 or 13.226.155.78. After DNS is done, a TCP session will be set up from the client to the web server. Both the client’s and the server’s Internet Service Providers leverage Border Gateway Protocol (BGP) to exchange routing and reachability information, allowing the client to access the server.
The website itself might be hosted on a Content Delivery Network (CDN) to offload and protect the original server where the content is hosted. Once the destination is reached, an SSL handshake will be performed to form a secure connection between client and server. Once all of this has been performed, the actual page can be loaded.
In this example, which arguably represents a fairly simplified website, we have BGP, DNS, multiple Internet Service Providers, SSL Certificates, and CDN providers—all of which are external dependencies that make a simple site available. This is in addition to the infrastructure needed to actually host the website. Needless to say, if you want to be in control of availability, you need to monitor this entire digital experience delivery chain. This is where ThousandEyes comes in.
In Figure 1 below, you can see what external monitoring looks like in ThousandEyes. All dependency layers are displayed in a time-correlated manner. Starting with the core of the Internet, BGP. Our BGP monitoring provides all information about reachability, path changes, and updates to global Internet routing. From there, we move to the network layer, creating a hop-by-hop overview of what the Internet looks like for your application—as well as from the locations relevant to your customers. That gives us a global view, correlating application experience with network behavior.
Now that we have insight into BGP and the network, it’s time to move to the higher layers. Each vantage point will independently perform a DNS lookup and connect to the corresponding server, giving detailed insights into how geo load balancing works (i.e., is DNS performing consistently around the globe and are all HTTP sessions being handled as they should).
The last step is diving into the details of the webpage served. By using a page load or a Selenium transaction, the content and workings of the website itself can be tested and monitored.
Bringing this all together gives us a detailed view about the availability of the services you provide. Not only for the parts you control, but for all dependencies in the delivery chain.
Confidentiality and Integrity
Security, of course, doesn’t stop at availability. A cynic might say that confidentiality, integrity and the Internet will never go hand in hand. While there is some merit to that, the billions of banking transactions that are handled each day beg to differ.
“Integrity” and, with that, “confidentiality” on the Internet starts with BGP and DNS. If somewhere in the world, an adversary is able to influence these cornerstones of the Internet, everything else is lost. Prominent examples, like this attack on Amazon ’s Route 53 DNS service or this BGP issue impacting Cloudflare, show just how vulnerable these components can be.
ThousandEyes will alert your SOC when part of your IP space is announced from a different AS (indicating a BGP leak going on) or if, for example, a domain-to-IP mapping is changed around the globe (catching tampering with DNS as it happens—a common attack that is hard to catch without an external view.)
Checking the S in HTTPS
Another pillar in secure application delivery over the Internet is SSL/TLS. With the rise of Content Delivery Networks and cloud delivered applications, a big portion of key management is moved out of enterprises’ control, increasing the need for external monitoring. If a third party uses a weak cipher, it's something you want to receive an alert on, as are improperly signed certificates or (nearly) expired ones.
With the comprehensive SSL Monitoring capabilities ThousandEyes implemented late last year, all aspects of SSL can be monitored (shown in Figure 2) . From an availability standpoint, the expiration date is relevant, but from a confidentiality point of view, the use of weak ciphers is more concerning. Should a self-signed certificate or different signing chain appear suddenly somewhere, red flags should go up immediately.. Again, the global reach of ThousandEyes makes this type of visibility possible.
Conclusion
While digital experience monitoring doesn’t stop a BGP hijack, DNS poisoning attack or other malicious activity from happening, the global visibility that ThousandEyes provides means that these attacks won’t go unnoticed—closing the window of opportunity for bad actors and providing you with clear forensic data of the event. Schedule a demo with our team today to see how ThousandEyes digital experience monitoring helps give you the visibility you need for a secure digital posture.