Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/20/2020
09:00 AM
By Craig Harber, Chief Operating Officer, Fidelis
By Craig Harber, Chief Operating Officer, Fidelis
Sponsored Article
100%
0%

The State of Network Traffic Analysis

Does your security team have the network traffic visibility tools you need to defend against attackers? Weigh in to Fidelis' 2020 threat detection and response survey and find out.

Modern organizations have seen a massive expansion of their cyber terrain with the integration of business systems, information technology, and operational technology that is fundamentally transforming the effectiveness and efficiencies of business operations. Unfortunately, this integration of business systems and technologies that are enablers of digital transformation will expand the attack surface and potentially accelerate the speed and damage of attacks.

As part of Fidelis Cybersecurity’s ongoing research efforts, we are asking cybersecurity practitioners to participate in our 2020 State of Threat Detection and Response Survey.

Correlation between cyber terrain and exploitable attack surface is leading many organizations to question whether they have the right cybersecurity tools deployed to provide visibility of their network traffic. This is consistent with key findings of Fidelis Cybersecurity’s State of Threat Detection and Response 2019 report, which found that 69% of respondents believe their attack surface grew as a result of additional cloud applications, higher levels of network traffic, and a higher number of endpoints (especially with the rise in BYOD devices), enterprise IoT and mergers & acquisitions. This same report also found 49% of respondents did not have holistic visibility, while only 12% strongly agreed that they had full visibility of their cyber terrain.

A key takeaway:  As the cyber terrain continues to grow, organizations must evolve their defensive strategies, moving from perimeter-focused security to more comprehensive strategies that emphasize holistic visibility, detection, and response of attacks across the cyber terrain. This can be accomplished by operationalizing cyber threat frameworks such as MITRE ATT&CKTM.

Scaling Visibility
As cyber attackers continue to innovate and evolve their capabilities (increasingly with the help of adversarial machine learning), early detection and response remains one of the most effective strategies for defending enterprises against malicious actors. Unfortunately, the dwell time of a cyberattack is currently measured in terms of months instead of hours or days, providing attackers with ample time to collect information, move throughout the network and damage or exfiltrate enterprise data. To effectively detect and respond to threats early in the attack kill chain, organizations must have holistic visibility of their terrain.

Cyber attackers will use a variety of tactics, techniques and procedures (TTPs) to remain undetected by security tools, but these actions also create opportunities for analysts to find them. For this, security organizations rely upon network traffic analysis (NTA) technology which can capture, process, and analyze network traffic to detect and investigate data that may indicate a cyberattack. Modern network traffic analysis solutions must use a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities and sophisticated attackers on enterprise networks.

Operationalizing Threat Frameworks
Operationalizing capabilities against cyber threat frameworks provide organizations with a concrete method for assessing what defensive capabilities they possess and which ones they need. The framework is effectively a decision support tool to assist organizations in the acquisition of new capabilities and/or the rationalization of existing capabilities. Cybersecurity teams should align their day-to-day post-breach detection and response actions to a cyber threat framework such as the MITRE ATT&CK framework. Intelligence derived from this approach will help cybersecurity teams identify where and how attackers will seek to exploit defenses, and provides organizations with a valuable starting point in how to position their defensive capabilities to proactively guard against attacks.

Detection
In addition to using cyber threat frameworks that map threat actors to known attack methodologies, organizations also need to continuously use detection capabilities to hunt for emerging or unknown threats using both automated and manual approaches. Reducing cyber dwell time is a critical metric for all cybersecurity teams that will benefit from improvements in visibility of their cyber terrain. Not surprisingly, visibility trailed automation as the second leading overall concern for organizations according to the 2019 State of Threat Detection report, with 53% of respondents identifying their lack of visibility as a high priority.

This forces many organizations into a reactive security posture, forcing analysts to scramble to react in a timely manner to new and evolving attacks. In order to shift security postures from reactive to proactive positioning, organizations will need to re-evaluate their security strategy in order to shape the attack surface to their advantage and make network traffic analysis solutions the cornerstone of their SOC operations. Ideal network traffic analysis solutions should provide organizations with deep visibility into their own cyber terrain, as well as all the tactics and techniques that attackers use to infiltrate networks, expand control, and entrench themselves.

Response
Like detecting threats, responding to threats effectively ultimately boils down to how much information you have at your disposal. Network traffic analysis solutions should therefore prioritize giving incident responders the critical information needed to quickly make risk-based decisions. Having visibility from the network and cloud traffic to endpoint activity is a must to understand the who, what, when, where, and how — in addition to possessing the tools and automation needed to resolve issues as quickly as possible.

SOC teams are increasingly overwhelmed with more responsibility, more alerts and more tools than ever. Even with full visibility, keeping up with these challenges is next to impossible when analysts must constantly chase down threats and alerts. In order to overcome this, organizations need to use their visibility and mapping to transition to truly threat-driven operations that will fortify reactive capabilities with proactive, predictive, and retrospective capabilities.

To accomplish this, organizations must overlay an understanding of the operational threat on top of the full visibility they have gained. This allows analysts and operators to weigh several courses of action, informed by full knowledge of their terrain and detailed options for uncovering or responding to threats against their organization. These courses of action can be fully automated or require human intervention to choose from one of several recommended best courses of action.

State of Threat Detection and Response 2020
If you would like to contribute your viewpoint on the current state of detection and response, we welcome you to participate in our ongoing survey for the Fidelis State of Threat Detection and Response 2020.

About the Author: Craig Harber, Chief Operating Officer, Fidelis

Craig Harber is Fidelis’ Chief Operating Officer, with responsibilities for product strategy, services and customer delivery. Harber had a distinguished career at the National Security Agency (NSA), and most recently USCYBERCOM, where he held senior technical roles driving major initiatives in cybersecurity and information assurance, having far reaching strategic impact across the Department of Defense (DOD) and Intelligence Community (IC).

During his career at the NSA, Harber earned a reputation as a respected authority on technical strategies to fully integrate and synchronize investments in cybersecurity capabilities. He invented the threat-based cybersecurity strategy known as NIPRNet SIPRNet Cyber Security Architecture Review (NSCSAR) that provided DOD policymakers a framework to objectively measure the expected value of cybersecurity investments. He transformed Active Cyber Defense concepts into capability pilots, commercial product improvements, industry standards, and operational solutions. He also directed the Integrated Global Information Grid (GIG) IA Architecture; raising the importance of IA to all warfighting platforms resulting in multi-billion dollar increase in DOD IA investments.

At Fidelis, Harber will be directing the product strategy for the organization, ensuring that the technology developments align and complement the frameworks at the forefront of the industry.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.
CVE-2021-3420
PUBLISHED: 2021-03-05
A flaw was found in newlib in versions prior to 4.0.0. Improper overflow validation in the memory allocation functions mEMALIGn, pvALLOc, nano_memalign, nano_valloc, nano_pvalloc could case an integer overflow, leading to an allocation of a small buffer and then to a heap-based buffer overflow.