Networks are the transport fabric for all IT however in the modern world they have become harder to access and monitor. Attackers inevitably leave traces on the network, and for this reason defenders understand the value of high-quality network evidence. But given the rise of encryption, digital transformation, Zero Trust architectures, and SASE… is it even feasible to collect network evidence anymore? Maybe we should throw in the towel and do without it?

In this ISC2 security briefing we make the argument that network evidence has never been more relevant to security operations teams, but our techniques for gathering and analysing it need to evolve as application architectures and access patterns continue to change. Network evidence needs to be readily available within cloud-native architectures such as Kubernetes, and it should offer insight even when the traffic being analysed must remain encrypted. We need a revolution in thinking about the ways and means by which network evidence can be collected. In some sense the boundaries between host and network may dissolve.