Ask the Experts: What Are Active and Passive Security Appliances?

Welcome to Ask the Experts, brought to you by In this video, Intelisys’ SVP Cloud Transformation Andrew Pryfogle discusses the difference between active and passive security appliances, and how the challenges of analyzing security data creates opportunities for Sales Partners, with Masergy’s Andy Singleton. Learn more about cybersecurity solutions from the Masergy team here:

Andrew: Okay, guys. Let’s jump into another Ask the Experts session. We’ve been going through this Network and Data Security track and we’re bringing in different minds from the University faculty that can really help us get smarter on this topic. I’ve asked to come back to the studio again Andy Singleton, who is the Director of Security Solutions Engineering for Masergy. What we used to think of as Masergy as kind of our big global MPLS provider and intelligent networks, is now one of our leading providers around cloud-based security. Andy, welcome man.
Andy: Thank you so much. Good to be here again.
Andrew: Very cool. Hey, I want to dig into this real quick. We’ve talked about security appliances, right? The box that a customer might put at their prem that gives them some assurance of security around their data. Describe for us first–this is kind of a two-part deal–but describe for us first the difference between an active appliance versus a passive appliance. Define the difference between those first. What does that mean?
Andy: What I consider active appliance is something that has the traffic actually going through it and that appliance, maybe say a firewall, an intrusion detection, plus prevention system going on at the same time. Some of these UTM platforms like a Fortinet or a Palo Alto–great platforms–they’re typically used for actively monitoring traffic in real time and then making a pass, drop decision from a machine level.
Passive is more mirroring data off or taking copies of the data as traffic passes out one of these active devices. I just take a copy of that, send it out to a separate device where we do long-term analytics and analysis of the data to understand both trending and behaviors around it. They both fit because you absolutely need an active appliance. You need some sort of firewall, rotary detection platform, or something that’s actively watching traffic and making a pass drop decision.
The challenge however is a lot of the companies I work with that have deployed an active intrusion prevention system that’s based off systems. They’ll end up dropping some traffic they shouldn’t. In essence, you’ve not serviced yourself or dossed yourself. This has happened with many customers I’ve talked to. They say, “Well, we’ve turned that piece down, but we really need some long-term trending. We really need to understand how this traffic is impacting our business over a long period of time.” This is when you put in a passive system that’s really a big data play. You’re really gathering immense amounts of packet data, logged data these sorts of things, but in a manner that’s non-intrusive to the business. You’re just kind of monitoring. It’s kind of a big brother approach. You’re just looking at all these events, or looking at all this traffic and trending over a long period of time.
Andrew: Interesting. Interesting. That explains it then. This is kind of the interesting angle for me though. Whether I have an active appliance or a passive appliance, I also need to have the right people in place. Security–we’ve talked a lot about it in this track. There’s a huge people element to this, isn’t there? Who is analyzing that data and who is making kind of the human decisions–not just the AI–but the human decisions around taking corrective action? Why is that a challenge for so many companies and where does that present opportunities perhaps for our partner community?
Andy: Absolutely. You got a challenge with all of these enterprises today where we’re all constrained on IT resources. We’re all strung in. Everybody is extremely busy. Most companies don’t have the time to put in say a 24 by seven security operation center or a network operation center. Somebody to actively watch these things. There’s no magic bullets with these systems. Neither active or passive. You can’t throw in a system and it’s magically going to be able to understand what is a threat and let that traffic be dropped and understand what is acceptable and pass that traffic.
You’ve got to have somebody looking at these things 24 by seven. You take a system, active or passive, but you take one of these systems and what you’re able to trend–you kind of let the machine do what the machine does best. That’s correlate data. Understand and mangle together unstructured data whether that’s packet, log events, scan events, whatever the case may be. Then boil up the important things to the top. As an IT manager, now I’ve got a smaller list of what should be the most important thing to look at. I’ve got that needle and a haystack. I’ve found it. Then I take action on that.
Andrew: Got it. Interesting. You can get a lot more purposeful and presumably a lot faster at closing down risks.
Andy: Yeah, absolutely. You quickly narrow into the thing that’s most important to the business. You got a big problem out there right now with alert fatigue. This is what we hear and what I’m sure what a lot of you folks hear every day is, “I don’t have time to look at all these events, look at all these logs on a day-to-day basis. There’s just too many of them.”
Andrew: Yeah.
Andy: Ninety-nine percent of them are not a threat anyway. The system just pulls them out because it sees something that should be looked at. You got to have machine intelligence to really filter up or bubble up that needle in a haystack and then focus in on that one percent that, “Hey, this could be our problem.”
Andrew: Right. Right. Got it. Fantastic. Hey, that’s really, really helpful stuff. Of course Masergy has a complete security operation center. Staff with really smart people looking at this data and helping customers make decisions all the time. Am I correct?
Andy: Absolutely. We’ve got a Tier 1, Tier 2, Tier 3 SOC Analysts, security operation center analysts. Their job 24/7 is to look for security events. Whether that’s with a specific customer or on the industry itself. Plus a threat intelligence team. You put something together like that, you’ve got breadth of security professionals that most companies, even the big ones, cannot build. In this way we position ourselves as an extension of the IT staff for these businesses. We in essence become that day-to-day tactical type piece where we’re looking for that needle in a haystack. We’re constantly looking for threats against the business and providing that substantiated evidence to these companies so that their IT staff, or their security personnel, can be much more strategic to the business. Strategic to the business meaning how I’m operating with my other partners, with my other vendors, how’s my user education, what compliance thing should I be adhering to as a corporation of XYZ type.
Andrew: Yeah, yeah. Good deal. Hey, great stuff. Andy, thanks again for jumping in. It’s always awesome to have you in here helping us get smarter about security stuff. Thank you.
Andy: You bet. Thank you guys.
Andrew: Good deal. Guys, that’s Andy Singleton. He’s a Director of Security Solutions Engineering for Masergy. One of our go-to cloud providers for cloud-based security solutions. Big, big hot topic right now and a great jumping off point for your conversations with customers. Dig into the University here and into the learning center for Masergy. They’ve got some great information. I will also plug. They also have a very detailed certification track dedicated to Masergy and this topic of network and data security. Get smart, guys. It will pay off for you big in the cloud security space. Good selling.