Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
By Craig Harber, Chief Operating Officer, Fidelis
By Craig Harber, Chief Operating Officer, Fidelis
Sponsored Article

The State of Network Traffic Analysis

Does your security team have the network traffic visibility tools you need to defend against attackers? Weigh in to Fidelis' 2020 threat detection and response survey and find out.

Modern organizations have seen a massive expansion of their cyber terrain with the integration of business systems, information technology, and operational technology that is fundamentally transforming the effectiveness and efficiencies of business operations. Unfortunately, this integration of business systems and technologies that are enablers of digital transformation will expand the attack surface and potentially accelerate the speed and damage of attacks.

As part of Fidelis Cybersecurity’s ongoing research efforts, we are asking cybersecurity practitioners to participate in our 2020 State of Threat Detection and Response Survey.

Correlation between cyber terrain and exploitable attack surface is leading many organizations to question whether they have the right cybersecurity tools deployed to provide visibility of their network traffic. This is consistent with key findings of Fidelis Cybersecurity’s State of Threat Detection and Response 2019 report, which found that 69% of respondents believe their attack surface grew as a result of additional cloud applications, higher levels of network traffic, and a higher number of endpoints (especially with the rise in BYOD devices), enterprise IoT and mergers & acquisitions. This same report also found 49% of respondents did not have holistic visibility, while only 12% strongly agreed that they had full visibility of their cyber terrain.

A key takeaway:  As the cyber terrain continues to grow, organizations must evolve their defensive strategies, moving from perimeter-focused security to more comprehensive strategies that emphasize holistic visibility, detection, and response of attacks across the cyber terrain. This can be accomplished by operationalizing cyber threat frameworks such as MITRE ATT&CKTM.

Scaling Visibility
As cyber attackers continue to innovate and evolve their capabilities (increasingly with the help of adversarial machine learning), early detection and response remains one of the most effective strategies for defending enterprises against malicious actors. Unfortunately, the dwell time of a cyberattack is currently measured in terms of months instead of hours or days, providing attackers with ample time to collect information, move throughout the network and damage or exfiltrate enterprise data. To effectively detect and respond to threats early in the attack kill chain, organizations must have holistic visibility of their terrain.

Cyber attackers will use a variety of tactics, techniques and procedures (TTPs) to remain undetected by security tools, but these actions also create opportunities for analysts to find them. For this, security organizations rely upon network traffic analysis (NTA) technology which can capture, process, and analyze network traffic to detect and investigate data that may indicate a cyberattack. Modern network traffic analysis solutions must use a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities and sophisticated attackers on enterprise networks.

Operationalizing Threat Frameworks
Operationalizing capabilities against cyber threat frameworks provide organizations with a concrete method for assessing what defensive capabilities they possess and which ones they need. The framework is effectively a decision support tool to assist organizations in the acquisition of new capabilities and/or the rationalization of existing capabilities. Cybersecurity teams should align their day-to-day post-breach detection and response actions to a cyber threat framework such as the MITRE ATT&CK framework. Intelligence derived from this approach will help cybersecurity teams identify where and how attackers will seek to exploit defenses, and provides organizations with a valuable starting point in how to position their defensive capabilities to proactively guard against attacks.

In addition to using cyber threat frameworks that map threat actors to known attack methodologies, organizations also need to continuously use detection capabilities to hunt for emerging or unknown threats using both automated and manual approaches. Reducing cyber dwell time is a critical metric for all cybersecurity teams that will benefit from improvements in visibility of their cyber terrain. Not surprisingly, visibility trailed automation as the second leading overall concern for organizations according to the 2019 State of Threat Detection report, with 53% of respondents identifying their lack of visibility as a high priority.

This forces many organizations into a reactive security posture, forcing analysts to scramble to react in a timely manner to new and evolving attacks. In order to shift security postures from reactive to proactive positioning, organizations will need to re-evaluate their security strategy in order to shape the attack surface to their advantage and make network traffic analysis solutions the cornerstone of their SOC operations. Ideal network traffic analysis solutions should provide organizations with deep visibility into their own cyber terrain, as well as all the tactics and techniques that attackers use to infiltrate networks, expand control, and entrench themselves.

Like detecting threats, responding to threats effectively ultimately boils down to how much information you have at your disposal. Network traffic analysis solutions should therefore prioritize giving incident responders the critical information needed to quickly make risk-based decisions. Having visibility from the network and cloud traffic to endpoint activity is a must to understand the who, what, when, where, and how — in addition to possessing the tools and automation needed to resolve issues as quickly as possible.

SOC teams are increasingly overwhelmed with more responsibility, more alerts and more tools than ever. Even with full visibility, keeping up with these challenges is next to impossible when analysts must constantly chase down threats and alerts. In order to overcome this, organizations need to use their visibility and mapping to transition to truly threat-driven operations that will fortify reactive capabilities with proactive, predictive, and retrospective capabilities.

To accomplish this, organizations must overlay an understanding of the operational threat on top of the full visibility they have gained. This allows analysts and operators to weigh several courses of action, informed by full knowledge of their terrain and detailed options for uncovering or responding to threats against their organization. These courses of action can be fully automated or require human intervention to choose from one of several recommended best courses of action.

State of Threat Detection and Response 2020
If you would like to contribute your viewpoint on the current state of detection and response, we welcome you to participate in our ongoing survey for the Fidelis State of Threat Detection and Response 2020.

About the Author: Craig Harber, Chief Operating Officer, Fidelis

Craig Harber is Fidelis’ Chief Operating Officer, with responsibilities for product strategy, services and customer delivery. Harber had a distinguished career at the National Security Agency (NSA), and most recently USCYBERCOM, where he held senior technical roles driving major initiatives in cybersecurity and information assurance, having far reaching strategic impact across the Department of Defense (DOD) and Intelligence Community (IC).

During his career at the NSA, Harber earned a reputation as a respected authority on technical strategies to fully integrate and synchronize investments in cybersecurity capabilities. He invented the threat-based cybersecurity strategy known as NIPRNet SIPRNet Cyber Security Architecture Review (NSCSAR) that provided DOD policymakers a framework to objectively measure the expected value of cybersecurity investments. He transformed Active Cyber Defense concepts into capability pilots, commercial product improvements, industry standards, and operational solutions. He also directed the Integrated Global Information Grid (GIG) IA Architecture; raising the importance of IA to all warfighting platforms resulting in multi-billion dollar increase in DOD IA investments.

At Fidelis, Harber will be directing the product strategy for the organization, ensuring that the technology developments align and complement the frameworks at the forefront of the industry.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.
PUBLISHED: 2020-06-03
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
PUBLISHED: 2020-06-03
go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
PUBLISHED: 2020-06-03
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted...