The Evolution of Network Traffic Analysis into Network Detection & Response

Cybersecurity breaches are on the rise with no end in sight. According to CSO Online, businesses in the United States lose close to $4 million annually due to data breaches. Clearly, cybercriminals are outpacing cybersecurity professionals by finding ways to bypass traditional defense solutions.

The long-standing practice of black-listing malicious signatures is not effective against modern threats, and white-listing is a cumbersome process. There are too many variants of malware, and attackers have too many tools at their disposal to continue down the beaten path of security. We need a new approach that emphasizes actionable visibility versus the traditional alert generation approach, which has not only proven ineffective but also follows the law of diminishing returns as the ever-growing number of alerts becomes actually counter-effective.

We know that at the end of the day, everything goes through the network (traditional enterprise network and/or the network that connects to cloud infrastructure and applications). Traditional breach detection systems and signature-based solutions, such as intrusion detection systems (IDS) and intrusion prevention systems (IPS), have shortcomings for the types of attacks that businesses are seeing nowadays. For starters, these solutions struggle to efficiently detect new or evolving threats since they require a new signature for that specific threat to be added to the database. However, even for AI-based detection systems, it is still challenging to separate the wheat from the chaff as monitoring the east-west traffic in the new world of micro-services, containerization and virtualization, while coping with much higher volumes, is a tall order. All these put attackers at an advantage.

To combat these new threats, you cannot rely solely on partial visibility to safeguard your perimeter. The security team must understand what is happening on their network from an application and user perspective and be able to tell the difference between normal behavior and malicious behavior that may lead to an attack. Note that partial visibility is caused by having blind spots, but it can also result from cases where you actually do get an alert that something suspicious has occurred but do not have the context to easily investigate what happened before, during and after that specific activity. Actionable visibility is the heart of being able to understand and protect your environment, and a network traffic analysis (NTA) is the place to start.

Traditional defense models

Traditional defense models’ inability to protect data is evident by the fact that cybersecurity spending over the past five years is expected to reach $1 trillion by next year while losses from attacks will reach $6 trillion. It is obvious that the spending strategy must change.

Beyond network signature-based systems, other established defense systems consisting of security information and event management (SIEM) machines, antivirus software, and endpoint detection and response (EDR) devices continue to be necessary, but by themselves, they do not provide the actionable visibility to keep up with emerging threats that compromise your systems and exfiltrate data without your knowledge.

Network traffic analysis evolution into network detection and response

To truly know what is lurking in your environment, you need a real-time examination of packets on your network, which is performed through a network traffic analysis. The main benefits of using the new generation of NTA include: 1- Employing behavior-based threat detection to identify threats based on behavior that is outside the model of “normal conduct” for devices; 2- Generating organized and useable data for security teams to perform analyses and forensics as well as ensure security compliance by accessing the actual evidences underpinning the threat identification; 3- Providing better network visibility to enable successful security response through automation, thus allowing security teams to focus on the most critical threats.

SIEM solutions can generate and aggregate alerts, but they do not tell your analysts everything they need to understand and identify the threat. While SIEM is a great starting point for the process of investigation, it lacks, by design, all the actual activities that happened on the network. Through a network traffic analysis, you have a holistic view of your environment to see an accurate and real-time picture of events.

A network detection and response is not a magic solution that will replace all of your current security technology – but it provides visibility into the areas where SIEM, EDR and other traditional solutions struggle with. This is the main reason it became such an important tool for performing the investigation and determining not only the threat but also the actions that need to take place to contain and remediate it. Monitoring and generating alerts is one thing, but knowing what to do with those alerts requires a different set of capabilities. Front-line analysts spend too much time on false-positives and too many redundant true positives, lacking the time and context to focus on the actual threats. Constant alerts without an immediate ability to do a deeper dive is just noise that distracts your analysts from understanding and acting on the actual threat. Moreover, wasted time on alerts with an expectation of keeping up with an already-high workload leads to frustration of the security team.

Most security teams rely on their seasoned analysts and threat hunters to use their knowledge to collect crumbs from different tools and piece together the true understanding of what is going on. This results in inefficiencies, frustration and high churn rates; additionally, the less experienced operators are not able to contribute enough, and hiring more experienced analysts is not always possible, not to mention the time it takes to bring new analysts up to speed. With WireX’s NDR platform powered by patented NTA technologies, even entry-level operators are able to perform as experienced analysts as the system is doing all of the heavy lifting of collecting, correlating and visualizing the actionable data for them. With this guidance, even a novice can be an expert.

WireX NDR solutions

Technology advances every day and so do the tactics, techniques and procedures (TTPs) of your adversaries. A new solution is needed to combat these advanced threats. It is imperative that you know what is taking place within your network from an application and user perspective, and it’s crucial that you make this information understandable and actionable by your security analysts and incident responders.

To fully monitor the environment, WireX network detection and response leverages our patented Contextual Capture™ technology. This combination not only allows you to see all communications within your network, but it also reconstructs the raw data into a human-readable format that the security operators in all levels can act upon.

With the ability to understand what each and every alert means and how they relate to each other, even entry-level operators are capable of achieving results that would typically require a team of experienced analysts. With our NDR technology, you can cut down the noisy alerts and allow for less-experienced analysts to work on legitimate alerts while your seasoned analysts focus on the actual problems.

If you are interested in improving your company’s security program and reducing the unnecessary noise your security analysts have to deal with, feel free to contact WireX Systems to see how we can help you handle more threats in significantly less time thus enabling your team to spend more time on proactive hunting.

linkedin facebook twitter

Learn more about WireX paradigm shift to Incident Response

Top 3 requirements to turbocharge your Incident Response

Read about WireX Systems Incident Response Platform