For years we have used syslog and netflow style logging, convinced that we could easily correlate events, find security issues, forensically see what happened. Then reality sank in. Multiple devices on the same IP due to NAT. Proxy servers. Spoofed IP. Big investments in SIEM and correlation became big work to get the most out of them. There has to be a better way!
Well, there is. We swap that perimeter-security and port-forward-DMZ-firewall world for Zero Trust Network Architecture. We place a cryptographically-secure header (JWT) on each transaction. We audit based on the contents of the JWT.
Now it doesn’t matter about IP address, 5-tuple-lookup, who had that DHCP address, spoofing. Each transaction has a GUID, called a SUB (Subject, e.g. the user). Correlation becomes exact match, no complexity, no confusion, no time horizons, no inside the NAT vs outside. Simple. Secure. Learn more in the below video!