Network detection and response delivers the most comprehensive insight into hidden threats and empowers incident responders to act with confidence. Network traffic analysis is a core technology for detecting hidden threats, but there are several decision criteria that you are likely to consider, including the ones below.
Read the summarized table below to learn how vendors stack up to these requirements.
Network Traffic Analysis is a new market, with many vendors entering since 2016. Gartner analyzed the key NTA vendors to be considered by security and risk management leaders. You can download the Gartner Market Guide for Network Traffic Analysis here.
Network metadata contains vital descriptors of the data itself to create a searchable index in real time and at a fraction of the size of full packet captures. Metadata as a source is the right data type, but used alone it lacks indicators of compromise that show analysts where to hunt.
Security-enriched network metadata
Enrichment techniques, used to identify data such as host ID and beaconing, are employed to augment network metadata. This data cocktail is essential to quickly identify threat activity in security event messages and conduct more conclusive incident investigations.
NetFlow is network performance monitoring data remarketed for security. It shows connections that were made but does not show what these connections were used for. Network detection requires details, such as whether an SMB connection was used to authenticate a user, mount a share or execute code. NetFlow does not provide these details, rendering it blind to network visibility and incapable of detecting threats.
Full packet captures
Network packets provide deep network visibility but are difficult and expensive to scale. The sheer amount of packets causes slow search performance that makes incident investigations frustratingly painful.
Feed security-enriched metadata to data lakes and SIEMs, correlate it with other data sources and empower threat hunters to conduct conclusive incident investigations with a comprehensive source of truth.
And the quality of that data will impact your threat-hunting use cases.
NetFlow offers incomplete data and was originally conceived to manage network performance. PCAPs are performance-intensive and expensive to store in a way that ensures fidelity in post-forensics investigations. The tradeoffs between NetFlow and PCAPs leaves security practitioners in an untenable state.
There’s a consistent set of questions security teams must answer when investigating any given attack scenario. They will test their hypotheses by investigating the data to determine if they are looking in the right place or thinking in the right direction. Having access to the right data and insights can make all the difference in the investigation, both in terms of outcome and in the speed of achieving the outcome.
Yet, with examples like beaconing, it is hard to differentiate between innocuous and malicious behaviors. How do you discover and identify the potentially malicious communication? And if you find that communication is malicious, how do you respond?
The first step is to make sure that the attributes necessary to answer these questions are readily available to the security analyst. These are best surfaced using metadata that is enriched with insights that can only be derived from machine learning techniques.
There are numerous techniques for creating algorithms that are capable of learning and adapting over time. Broadly speaking, we can organize these algorithms into one of three categories: Supervised, unsupervised and reinforcement learning.
Machine learning is the technique, not the objective. This is critically important as more tools leverage and advertise machine learning for threat detection. Unlike Vectra, other vendors use a small subset of machine learning algorithms to solve a problem. Specific attacker behaviors require different applications of machine learning.
You can read more about deep learning in our dedicated blog post about neural networks and deep learning.
Just like no single algorithm can solve every problem, no single method can find every threat. Vendors who apply a single algorithmic approach run the risk of drowning a few good detections in a massive flood of false positives. Conversely, machine learning is overkill when a simple list of indicators of compromise (IoCs) could suffice, such as detecting known malicious IP or URL addresses.
Deciding where to focus an analyst's time and how to respond requires an understanding of the assets impacted and the risk to your business. You want your vendor’s solution to roll up a chain of events into single incidents.
To understand the severity of an attack, analysts need to connect the dots of related attacker behaviors to expose the relationship between hosts across internal detections, external advanced command-and-control detections, and connectivity to common command-and-control infrastructures.
It is imperative to prioritize the risk level of hosts, including workloads, servers and IoT. This ensures that analysts are responding to the highest risks first to reduce the total cost and risk of a breach.
The goal should be to reduce the workload so an analyst can focus on the events that matter most. Part of that means providing human-readable outputs from machine learning algorithm detections, including PCAP and guidance on what a detection means and what next steps an analyst should take to verify and respond.
As attackers perform reconnaissance and move laterally from host to host in a network, their behaviors need to be correlated across all involved hosts and detections to present a view of the entire attack campaign.
Data center and cloud security goes beyond virtualization or perimeter detection and needs to include the underlying infrastructure and low-level tools used to manage workloads. You may want to consider a technology that provides threat detection that extends from the application layer down to the underlying hardware.
For example, a port knocking detection may reveal servers that are compromised by a rootkit, which could reside below the physical operating system itself. In addition, monitoring and detecting the improper use of low-level management protocols such as IPMI and iDRAC are critical.
Normally used by administrators for infrastructure-lights-out management of server hardware, these protocols are increasingly targeted by attackers because they open a persistent backdoor into the virtual environment, yet are not logged and are rarely monitored by security.
Not every attack is the same and not every response should be the same. An AI platform should provide intelligence to existing infrastructure to reduce the time to respond. More importantly, you should expect an AI platform to enable the correct response.
You should expect integration to be simple and straightforward. A complex deployment will erode any benefits you hoped to gain. Integration can occur through APIs, outbound events or automation platforms that provide standardization between products.
Vectra delivers a complete platform for network detection and response with Cognito Detect, Cognito Recall and Cognito Stream. Vectra has the longest tenure and greatest investment in the development of AI for detecting attacker behaviors as well as collecting and enriching metadata for threat hunting and incident investigations.