Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
By Craig Harber, Chief Operating Officer, Fidelis
By Craig Harber, Chief Operating Officer, Fidelis
Sponsored Article

The State of Network Traffic Analysis

Does your security team have the network traffic visibility tools you need to defend against attackers? Weigh in to Fidelis' 2020 threat detection and response survey and find out.

Modern organizations have seen a massive expansion of their cyber terrain with the integration of business systems, information technology, and operational technology that is fundamentally transforming the effectiveness and efficiencies of business operations. Unfortunately, this integration of business systems and technologies that are enablers of digital transformation will expand the attack surface and potentially accelerate the speed and damage of attacks.

As part of Fidelis Cybersecurity’s ongoing research efforts, we are asking cybersecurity practitioners to participate in our 2020 State of Threat Detection and Response Survey.

Correlation between cyber terrain and exploitable attack surface is leading many organizations to question whether they have the right cybersecurity tools deployed to provide visibility of their network traffic. This is consistent with key findings of Fidelis Cybersecurity’s State of Threat Detection and Response 2019 report, which found that 69% of respondents believe their attack surface grew as a result of additional cloud applications, higher levels of network traffic, and a higher number of endpoints (especially with the rise in BYOD devices), enterprise IoT and mergers & acquisitions. This same report also found 49% of respondents did not have holistic visibility, while only 12% strongly agreed that they had full visibility of their cyber terrain.

A key takeaway:  As the cyber terrain continues to grow, organizations must evolve their defensive strategies, moving from perimeter-focused security to more comprehensive strategies that emphasize holistic visibility, detection, and response of attacks across the cyber terrain. This can be accomplished by operationalizing cyber threat frameworks such as MITRE ATT&CKTM.

Scaling Visibility
As cyber attackers continue to innovate and evolve their capabilities (increasingly with the help of adversarial machine learning), early detection and response remains one of the most effective strategies for defending enterprises against malicious actors. Unfortunately, the dwell time of a cyberattack is currently measured in terms of months instead of hours or days, providing attackers with ample time to collect information, move throughout the network and damage or exfiltrate enterprise data. To effectively detect and respond to threats early in the attack kill chain, organizations must have holistic visibility of their terrain.

Cyber attackers will use a variety of tactics, techniques and procedures (TTPs) to remain undetected by security tools, but these actions also create opportunities for analysts to find them. For this, security organizations rely upon network traffic analysis (NTA) technology which can capture, process, and analyze network traffic to detect and investigate data that may indicate a cyberattack. Modern network traffic analysis solutions must use a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities and sophisticated attackers on enterprise networks.

Operationalizing Threat Frameworks
Operationalizing capabilities against cyber threat frameworks provide organizations with a concrete method for assessing what defensive capabilities they possess and which ones they need. The framework is effectively a decision support tool to assist organizations in the acquisition of new capabilities and/or the rationalization of existing capabilities. Cybersecurity teams should align their day-to-day post-breach detection and response actions to a cyber threat framework such as the MITRE ATT&CK framework. Intelligence derived from this approach will help cybersecurity teams identify where and how attackers will seek to exploit defenses, and provides organizations with a valuable starting point in how to position their defensive capabilities to proactively guard against attacks.

In addition to using cyber threat frameworks that map threat actors to known attack methodologies, organizations also need to continuously use detection capabilities to hunt for emerging or unknown threats using both automated and manual approaches. Reducing cyber dwell time is a critical metric for all cybersecurity teams that will benefit from improvements in visibility of their cyber terrain. Not surprisingly, visibility trailed automation as the second leading overall concern for organizations according to the 2019 State of Threat Detection report, with 53% of respondents identifying their lack of visibility as a high priority.

This forces many organizations into a reactive security posture, forcing analysts to scramble to react in a timely manner to new and evolving attacks. In order to shift security postures from reactive to proactive positioning, organizations will need to re-evaluate their security strategy in order to shape the attack surface to their advantage and make network traffic analysis solutions the cornerstone of their SOC operations. Ideal network traffic analysis solutions should provide organizations with deep visibility into their own cyber terrain, as well as all the tactics and techniques that attackers use to infiltrate networks, expand control, and entrench themselves.

Like detecting threats, responding to threats effectively ultimately boils down to how much information you have at your disposal. Network traffic analysis solutions should therefore prioritize giving incident responders the critical information needed to quickly make risk-based decisions. Having visibility from the network and cloud traffic to endpoint activity is a must to understand the who, what, when, where, and how — in addition to possessing the tools and automation needed to resolve issues as quickly as possible.

SOC teams are increasingly overwhelmed with more responsibility, more alerts and more tools than ever. Even with full visibility, keeping up with these challenges is next to impossible when analysts must constantly chase down threats and alerts. In order to overcome this, organizations need to use their visibility and mapping to transition to truly threat-driven operations that will fortify reactive capabilities with proactive, predictive, and retrospective capabilities.

To accomplish this, organizations must overlay an understanding of the operational threat on top of the full visibility they have gained. This allows analysts and operators to weigh several courses of action, informed by full knowledge of their terrain and detailed options for uncovering or responding to threats against their organization. These courses of action can be fully automated or require human intervention to choose from one of several recommended best courses of action.

State of Threat Detection and Response 2020
If you would like to contribute your viewpoint on the current state of detection and response, we welcome you to participate in our ongoing survey for the Fidelis State of Threat Detection and Response 2020.

About the Author: Craig Harber, Chief Operating Officer, Fidelis

Craig Harber is Fidelis’ Chief Operating Officer, with responsibilities for product strategy, services and customer delivery. Harber had a distinguished career at the National Security Agency (NSA), and most recently USCYBERCOM, where he held senior technical roles driving major initiatives in cybersecurity and information assurance, having far reaching strategic impact across the Department of Defense (DOD) and Intelligence Community (IC).

During his career at the NSA, Harber earned a reputation as a respected authority on technical strategies to fully integrate and synchronize investments in cybersecurity capabilities. He invented the threat-based cybersecurity strategy known as NIPRNet SIPRNet Cyber Security Architecture Review (NSCSAR) that provided DOD policymakers a framework to objectively measure the expected value of cybersecurity investments. He transformed Active Cyber Defense concepts into capability pilots, commercial product improvements, industry standards, and operational solutions. He also directed the Integrated Global Information Grid (GIG) IA Architecture; raising the importance of IA to all warfighting platforms resulting in multi-billion dollar increase in DOD IA investments.

At Fidelis, Harber will be directing the product strategy for the organization, ensuring that the technology developments align and complement the frameworks at the forefront of the industry.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-24
IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD AMQP Channels could allow an authenticated user to cause a denial of service due to an issue processing messages. IBM X-Force ID: 191747.
PUBLISHED: 2021-02-24
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
PUBLISHED: 2021-02-24
Apache XmlGraphics Commons 2.4 is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
PUBLISHED: 2021-02-24
OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in...
PUBLISHED: 2021-02-24
BB-ESWGP506-2SFP-T versions 1.01.09 and prior is vulnerable due to the use of hard-coded credentials, which may allow an attacker to gain unauthorized access and permit the execution of arbitrary code on the BB-ESWGP506-2SFP-T (versions 1.01.01 and prior).