Complex and heterogeneous networks are the new reality for enterprises. Equifax is a great case study – the credit reporting company maintains 600-1,500 separate domains, sub-domains and perimeters that externally face the internet. Whoever hacked it was probably overwhelmed with the number of options he could have used for a way in. Obviously, these complex setups make visibility and threat detection even more indispensable for a modern security program.
As cloud adoptions intensify, the workforce becomes more mobile and relies more heavily on remote access to data. Applications and traditional workloads are moved to the edge while the perimeter slowly dissolves. By 2022, it is estimated that more than 50% of enterprise data will be created and processed outside the data center. Security focused on the perimeter is inadequate when borders are changing and when enterprises use IaaS, PaaS and SaaS operations. In this new environment, a network-centric approach to security expands network visibility and reinforces threat detection capabilities.
Network complexity increases the need for visibility
Complex networks are defined by elaborate topologies that make the inference of the connections between clients, applications and other network components difficult. Complexity promotes the degradation of network visibility. Without visibility, awareness of data flows and network activity disappear and malicious events and indicators go undetected and unmitigated. Threat detection and response is, after all, entirely dependent on access to visible, actionable data.
In addition, this complexity yields a larger attack surface, more opportunities for misconfigurations and human error, and an environment tailormade for APTs. IBM research has discovered that a breach persists, on average, for 209 days before detection and requires an additional 76 days for containment. This finding emphasizes the consequences of complexity without visibility.
Visibility is essential, but you will need actionable data and a system that is doing the heavy lifting of the analysis automatically so you can focus on the most important aspect – decision-making.
Visibility and network data
Knowledge of the internal integrity, security and health of a network relies on network data collection and analysis. A recent SANS report found that the top five most popular types of data collected and stored by security tools are active directory/LDAP login attempts, DNS transactions, DHCP transactions, HTTP payloads and IPFIX/host-to-host connection data. Underutilized data includes items such as certificate metadata and database methods.
Live network traffic should also be collected through the use of wiretaps, SPAN ports or packet brokers. Network flow data can provide some benefits, but looking at payload information is required for a deeper understanding of usage patterns and drilling down into specific activities.
In order to achieve true visibility, network tools must provide an analysis of the payload packets. If only metadata is decoded, then application layer visibility will not be available. If you are seeking HTTP protocol fields, SMB file information (including the file itself), DB transactions, URL and DNS data, or TLS certificate data, then high-level flow data collection like NetFlow will be insufficient. Metadata pertains to information about the network traffic and not the packet payloads themselves, so it is similar to getting mail only to find out you have the person’s name and address but the entire mail itself is not included.
Application layer visibility and access to transmitted content become possible when network packets are reassembled into sessions. Full packet capture can be expensive and hard to work with. It is no surprise that Gartner reported that rich metadata that looks at network payloads is the new way to go, as full packet capture is not able to provide long enough history and is typically limited to only a few days. More and more organizations today are adopting network detection and response technologies, as the immense value of network data – with its ability to reveal a clear picture of systems communication – can no longer be ignored. It can be expected that the value of network data will only increase as methods of easily exploring the data, without needing to write complicated regular expressions, become the norm.
WireX Systems achieves optimal visibility into payload data and overcomes the complexities of traditional packet capture. Using its Contextual Capture™ technology, raw network traffic is automatically translated into context and user behavior aware intelligence. This is immensely important, as now the security operator doesn’t need to involve a network engineer every time he needs to explore the system for data.
Re-assessment of network visibility
In the absence of deep visibility, networks cannot be secured against threats. Next-generation firewalls and proxy solutions can supply north-south visibility, but the explosion of hybrid and multi-cloud environments requires a reconsideration of defense strategies. Data flows now originate and terminate beyond the perimeter’s boundaries as users and services move outside of the organization’s perimeter. In the face of this increased porosity, erosions in network visibility and threat detection will create security issues.
Intrusion attempts, a common security issue, are identifiable from north-south visibility, but infiltration can now occur without direct penetration of the perimeter. For example, this can happen when a compromised mobile device remotely accesses cloud-stored resources. North-south visibility remains inadequate for these increasingly more common situations. East-west visibility, however, reveals access patterns of data and usage patterns for critical applications, and it supports efforts aimed at determining how data and applications are being used – and by whom. Thus, east-west visibility can identify attackers who bypassed your firewall and are already residing in the network.
Information extracted from east-west traffic yields more robust and useful insights into the network’s landscape. For instance, host-to-host connection information reveals the lateral movement of data and the movement of malicious content across the network.
The addition of east-west network data will, on one hand, provide unmatched visibility into critical applications, databases and file servers, but at the same time, it will pose substantial storage and analysis difficulties for your organization. WireX Systems Contextual CaptureTM technology offers up to twenty (20) times more data storage efficiency and was designed to overcome this exact challenge.
Network-oriented threat detection strengths
The deployment of network-centric tools like NDR can equip the SOC with several invaluable functionalities. NDR can be used to build network usage models that quickly identify abnormal activity; it can perform packet content analysis across protocols; NDR can provide visibility that complements what EDR (only host information) and SIEM (only logs) cannot provide; and the right NDR can also make working with packets simpler.
Network visibility and detection coverage can be quickly attained with data collection at a small number of collection points. A single sensor placed at a chokepoint is an economical way to provide coverage to multiple hosts. It should be noted that log- and endpoint-oriented approaches require data to be gathered at each individual host in the environment. Thus, the need for rapid visibility and reduced risk of threat evasion calls for network-centric tools.
Endpoint and log-based detection and coverage are only effective when agents are installed or logs are generated, respectively. Some technologies like IoT devices, smartphones and operational technology assets do not have EDR agents available nor do they produce security logs. Non-managed devices like employees’ personal laptops (pervasive in BYOD programs) may not admit agent installation. Any shadow IT in an organization may also not contain the necessary configurations needed for logging and endpoint monitoring.
Network visibility cannot be compromised when attackers gain privileged access to systems. Security tools deployed on the host can be disabled, but no one can “unsend” a packet on the network.
Network data collection and analysis are usually simpler than other monitoring tools. This stems from the fact that network traffic data is the only data necessary. If an organization is facing resource constraints, this is especially important.
Visibility and threat detection
The value of network visibility for threat detection becomes immense in modern growing IT environments. If properly managed and integrated, network data has the potential to deliver considerable benefits for the security team. Visibility becomes attainable and threats become less evasive.
Simplicity is key when looking at network data. The ability to easily explore the network data with queries, forensics workflows, advanced visualization and analytical views can streamline threat detection and response. Since network data is based on observations external to the hosts themselves, it is far less susceptible to malicious or external interference. Thus, a trusted platform to manage, integrate and leverage this invaluable data is paramount.
Automation is critical to the successful utilization of network data for threat detection and response at larger scales. Manual tasks and repetitive re-work can be effortlessly completed with the correct automation program. Analysts are then freed to focus on real threats and on proactive threat hunting.
Relentless technological advances, an explosion in remote work, increased enterprise connectivity and an expanding threatscape are all contributors to why 73% of IT professionals declared in a July 2020 report that comprehensive visibility into networks is fundamental to proper security.
Work to achieve comprehensive network visibility and contact WireX to drastically reduce detection and response times.