in-depth analysis

How to apply a network-centric approach to cybersecurity

The pivotal role of NDR

In the Gartner research report “ApplyingNetwork-Centric Approaches for Threat Detection and Response” publishedMarch 18, 2019 (ID: G00373460), Augusto Barros, Anton Chuvakin, and Anna Belakintroduced the concept of the SOC Visibility Triad.

The research provides the following graphic showing the “nuclear triad of visibility,” specifically:

  • SIEM/UEBA provides the ability to collect and analyze logs generated by the IT infrastructure, applications and other security tools.
  • Endpoint detection and response provides the ability to capture execution, local connections, system changes, memory activities and other operations from endpoints.
  • Ask for a proof-of-concept trial to ensure that attacker detections are relevant to your environment.

The research goes on to state, “Your SOC triad seeks tosignificantly reduce the chance that attackers will operate on your networklong enough to accomplish their goals.” In the research, the authors write that “EDR provides detailed tracking of malicious activities on an endpoint. Attackers, however, might be able to hide their tools from EDR. But, their activity will be visible by network tools as soon as they interact with any other system through the network.”

The research continues, “Logs can provide the necessary visibility into higher layers. For example, they can provide visibility into what users are doing on the application layer. EDR and logs can also mitigate the issues related to encrypted network connections – a common cause of blindspots in network-centric technologies.” 

Security operations teams have asked Vectra very similar questions during their response or threat hunting activities: What did this asset or account do before the alert? What did it do after the alert? Can we find out when things started to turn bad? Threat history is generally available in three places: NDR,EDR and SIEMs. EDR provides a detailed ground-level view of the processes running on a host and interactions between them.

NDR provides an aerial view of the interactions between all devices on the network, regardless of whether EDR is running on them or not. Security teams configure SIEMs to collect event login formation from other systems. Security teams that deploy the triad of NDR, EDR and SIEMs are empowered to answer a broader range of questions when responding to an incident or hunting for threats. For example, they can answer:

  • Did another asset begin to behave strangely after communicating with the potentially compromised asset?
  • What service and protocol were used?
  • What other assets or accounts may be implicated?
  • Has any other asset contacted the same external command-and-control IP address?
  • Has the user account been used in unexpected ways on other devices?

Although NDR and EDR can provide perspective on this, NDR is more critical because it provides perspective where EDR cannot. For example, exploits that operate at the BIOS level of a device can subvert EDR.

Examples of these exploits are those reportedly stolen from the Equation Group by the Shadow Brokers hacking group. When EDR is asked for a list of devices that a host communicated with, it may report devices B, C and E. Meanwhile, NDR would report that the same host communicated with devices A, B, C, E, and F.

This approach to a modern security operations center must also provide key integration capabilities with industry leading technology partners, including Vectra, CrowdStrike, CarbonBlack and Splunk.

Detection: Automation through AI

Powered by AI – machine learning, deep learning and neural networks – attacker behavior models constantly learn and adapt to automatically detect advanced threats in real time, before they do damage. 

In addition to threat detection, AI is instrumental in triaging and prioritizing the highest-risk threats and correlating attacks with compromised host devices. 

Tier 1automation alone can condense weeks – and even months – of work into minutes and reduce the security analyst workload by 37X.

Here are some tips to improve the detection of attacker behaviors in network traffic, security posture and risk management:

  • Augment signature-based perimeter securityproducts with behavior-based network traffic analytics.
  • Focus on detecting malicious command-and-control,internal recon, lateral movement and data exfiltration behaviors in your uniqueenvironment.
  • Insist on scalability so you can analyze all traffic in your network and optimize detection efficacy.
  • Ask for a proof-of-concept trial to ensure that attacker detections are relevant to your environment.

Response: Faster and smarter

When a threat is detected, security teams must answer a wide range of questions in order to respond quickly and decisively.  These include:

  • Did other assets behave strangely after communicating with a potentially compromised asset?
  • What service and protocol were used?
  • What other assets or accounts may be implicated?
  • Did other assets contact the same external command-and-control IP address?
  • Did a user account behave in unexpected ways on other devices?

The first step is to make sure that the attributes necessary to answer these questions are readily available to the analyst.  Relevant security information, rich in context, must available to incident responders.

Machine learning-derived attributes, including host identity and beaconing, provide vital context that reveals the complete scope and scale of an attack. 

Context that puts the most relevant information at your fingertips provides a trail of forensic evidence about threat behaviors throughout the entire attack lifecycle while eliminating the endless hunt and search for threats.