Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

4/20/2020
09:00 AM
By Craig Harber, Chief Operating Officer, Fidelis
By Craig Harber, Chief Operating Officer, Fidelis
Sponsored Article
100%
0%

The State of Network Traffic Analysis

Does your security team have the network traffic visibility tools you need to defend against attackers? Weigh in to Fidelis' 2020 threat detection and response survey and find out.

Modern organizations have seen a massive expansion of their cyber terrain with the integration of business systems, information technology, and operational technology that is fundamentally transforming the effectiveness and efficiencies of business operations. Unfortunately, this integration of business systems and technologies that are enablers of digital transformation will expand the attack surface and potentially accelerate the speed and damage of attacks.

As part of Fidelis Cybersecurity’s ongoing research efforts, we are asking cybersecurity practitioners to participate in our 2020 State of Threat Detection and Response Survey.

Correlation between cyber terrain and exploitable attack surface is leading many organizations to question whether they have the right cybersecurity tools deployed to provide visibility of their network traffic. This is consistent with key findings of Fidelis Cybersecurity’s State of Threat Detection and Response 2019 report, which found that 69% of respondents believe their attack surface grew as a result of additional cloud applications, higher levels of network traffic, and a higher number of endpoints (especially with the rise in BYOD devices), enterprise IoT and mergers & acquisitions. This same report also found 49% of respondents did not have holistic visibility, while only 12% strongly agreed that they had full visibility of their cyber terrain.

A key takeaway:  As the cyber terrain continues to grow, organizations must evolve their defensive strategies, moving from perimeter-focused security to more comprehensive strategies that emphasize holistic visibility, detection, and response of attacks across the cyber terrain. This can be accomplished by operationalizing cyber threat frameworks such as MITRE ATT&CKTM.

Scaling Visibility
As cyber attackers continue to innovate and evolve their capabilities (increasingly with the help of adversarial machine learning), early detection and response remains one of the most effective strategies for defending enterprises against malicious actors. Unfortunately, the dwell time of a cyberattack is currently measured in terms of months instead of hours or days, providing attackers with ample time to collect information, move throughout the network and damage or exfiltrate enterprise data. To effectively detect and respond to threats early in the attack kill chain, organizations must have holistic visibility of their terrain.

Cyber attackers will use a variety of tactics, techniques and procedures (TTPs) to remain undetected by security tools, but these actions also create opportunities for analysts to find them. For this, security organizations rely upon network traffic analysis (NTA) technology which can capture, process, and analyze network traffic to detect and investigate data that may indicate a cyberattack. Modern network traffic analysis solutions must use a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities and sophisticated attackers on enterprise networks.

Operationalizing Threat Frameworks
Operationalizing capabilities against cyber threat frameworks provide organizations with a concrete method for assessing what defensive capabilities they possess and which ones they need. The framework is effectively a decision support tool to assist organizations in the acquisition of new capabilities and/or the rationalization of existing capabilities. Cybersecurity teams should align their day-to-day post-breach detection and response actions to a cyber threat framework such as the MITRE ATT&CK framework. Intelligence derived from this approach will help cybersecurity teams identify where and how attackers will seek to exploit defenses, and provides organizations with a valuable starting point in how to position their defensive capabilities to proactively guard against attacks.

Detection
In addition to using cyber threat frameworks that map threat actors to known attack methodologies, organizations also need to continuously use detection capabilities to hunt for emerging or unknown threats using both automated and manual approaches. Reducing cyber dwell time is a critical metric for all cybersecurity teams that will benefit from improvements in visibility of their cyber terrain. Not surprisingly, visibility trailed automation as the second leading overall concern for organizations according to the 2019 State of Threat Detection report, with 53% of respondents identifying their lack of visibility as a high priority.

This forces many organizations into a reactive security posture, forcing analysts to scramble to react in a timely manner to new and evolving attacks. In order to shift security postures from reactive to proactive positioning, organizations will need to re-evaluate their security strategy in order to shape the attack surface to their advantage and make network traffic analysis solutions the cornerstone of their SOC operations. Ideal network traffic analysis solutions should provide organizations with deep visibility into their own cyber terrain, as well as all the tactics and techniques that attackers use to infiltrate networks, expand control, and entrench themselves.

Response
Like detecting threats, responding to threats effectively ultimately boils down to how much information you have at your disposal. Network traffic analysis solutions should therefore prioritize giving incident responders the critical information needed to quickly make risk-based decisions. Having visibility from the network and cloud traffic to endpoint activity is a must to understand the who, what, when, where, and how — in addition to possessing the tools and automation needed to resolve issues as quickly as possible.

SOC teams are increasingly overwhelmed with more responsibility, more alerts and more tools than ever. Even with full visibility, keeping up with these challenges is next to impossible when analysts must constantly chase down threats and alerts. In order to overcome this, organizations need to use their visibility and mapping to transition to truly threat-driven operations that will fortify reactive capabilities with proactive, predictive, and retrospective capabilities.

To accomplish this, organizations must overlay an understanding of the operational threat on top of the full visibility they have gained. This allows analysts and operators to weigh several courses of action, informed by full knowledge of their terrain and detailed options for uncovering or responding to threats against their organization. These courses of action can be fully automated or require human intervention to choose from one of several recommended best courses of action.

State of Threat Detection and Response 2020
If you would like to contribute your viewpoint on the current state of detection and response, we welcome you to participate in our ongoing survey for the Fidelis State of Threat Detection and Response 2020.

About the Author: Craig Harber, Chief Operating Officer, Fidelis

Craig Harber is Fidelis’ Chief Operating Officer, with responsibilities for product strategy, services and customer delivery. Harber had a distinguished career at the National Security Agency (NSA), and most recently USCYBERCOM, where he held senior technical roles driving major initiatives in cybersecurity and information assurance, having far reaching strategic impact across the Department of Defense (DOD) and Intelligence Community (IC).

During his career at the NSA, Harber earned a reputation as a respected authority on technical strategies to fully integrate and synchronize investments in cybersecurity capabilities. He invented the threat-based cybersecurity strategy known as NIPRNet SIPRNet Cyber Security Architecture Review (NSCSAR) that provided DOD policymakers a framework to objectively measure the expected value of cybersecurity investments. He transformed Active Cyber Defense concepts into capability pilots, commercial product improvements, industry standards, and operational solutions. He also directed the Integrated Global Information Grid (GIG) IA Architecture; raising the importance of IA to all warfighting platforms resulting in multi-billion dollar increase in DOD IA investments.

At Fidelis, Harber will be directing the product strategy for the organization, ensuring that the technology developments align and complement the frameworks at the forefront of the industry.

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...