Security Experts:

Network Traffic Analysis Provides Visibility, Detection and Investigation Capabilities

More and more, organizations are finding they do not have the levels of automation and visibility needed to prevent, detect and respond to modern threats. These threats are harder than ever to detect, and constantly evolving to take advantage of gaps in security postures that have been widened by increasingly disparate architectures. For example, traditional perimeter defenses were not designed to protect the wide range of applications, services and endpoints managed by commercial cloud providers underpinning today’s digital transformation

As it currently stands, most organizations lack the automation and visibility needed to gain this advantage. This forces many organizations into a reactive security posture, requiring analysts to scramble to react in a timely manner to new and evolving attacks against their cyber terrain. In order to shift security postures from reactive to proactive positioning, organizations will need to re-evaluate their security strategy so that they are able to shape the attack surface to their advantage and make network traffic analysis solutions the cornerstone of their detection and response capabilities relied on by SOC teams.

Discovery and Assessment

First, organizations need to know what their security stack contains – what capabilities are present and utilized, what capabilities are missing, and what capabilities may be duplicative. The easiest way to assess this is by mapping capabilities against a threat-based framework, such as the MITRE ATT&CKTM framework, or the Department of Defense’s DoDCAR framework. This should provide organizations with a decision support tool to develop a complete understanding of both current and desired capabilities and risk posture.

Often this is where organizations will find redundancies in their security stack, uncovering a multitude of overlapping or redundant solutions that are not being utilized to their full capability. It is also where they will be able to identify what capabilities they are lacking by mapping their existing state to a cyber threat framework. Operationalizing capabilities against threat frameworks provide organizations with structured methodology for assessing what cyber capabilities they have already – and which ones they lack. This valuably informs their larger security strategy going forward.

Understanding the Terrain

While mapping organizational assets, capabilities and vulnerabilities against a framework is an important step, there is still much work to do. The cyber terrain is malleable and constantly changing – that means visibility is a constant and ongoing priority. To achieve visibility, organizations need the ability to:

• Continuously discover, classify, and assess assets, including laptops, desktops, servers, enterprise IoT, shadow IT, and legacy systems;

• Discover all software installed on the identified assets;

• Continually run vulnerability assessments and alert on any installed vulnerability. 

However, simply collecting logs, events, and alerts is not enough. In fact, when executed improperly, these can actively harm organizations’ ability to detect, hunt and respond. This is often the case when excessive false positives generate an unmanageable deluge of alerts, resulting in alert fatigue for security analysts. In these instances, more data is not necessarily a good thing. The focus should be on having strategic placement of network traffic analysis sensors across your terrain to help you zero in on the right data, along with advanced machine-learning analytics in place to process the data and make it actionable.

To achieve this, organizations must prioritize deep visibility, i.e., visibility generated through rich, indexable metadata that can provide content and context around security incidents. This allows organizations to see how different pieces of the overall cyber terrain are communicating with one another, enabling them to highlight potential or existing attack vectors.

Threat Driven Operations

As previously stated, SOC teams are increasingly overwhelmed with more responsibility, more alerts and more tools than ever. Even with full visibility, keeping up with these challenges is next to impossible when analysts must constantly chase down threats and alerts. In order to overcome this, organizations need to use their newfound terrain visibility and threat-framework mapping to transition to truly threat-driven operations that will fortify reactive capabilities with proactive, predictive, and retrospective capabilities. This improves network traffic analysis capabilities by institutionalizing threat detection and response best practices like rigorously mapping the cyber terrain, identifying vulnerabilities and supporting SOC teams in threat detection and response with an integrated tech stack that provides continuous end-to-end visibility solutions.

Operationalize and Automate

Any kind of digital transformation must primarily seek to enable robust data-driven decision-making, exploiting all available data sets using artificial intelligence and machine learning technologies. This takes the burden of creating and managing an expert security team off the company so they can focus on their own business priorities— instead of combing through endless alerts and what threats may be looming on the horizon, or worse, already inside the network.

Once modernization initiatives have been realized, organizations must overlay an understanding of the operational threat on top of the full visibility they have gained. This allows analysts and operators to weigh several courses of action, informed by full knowledge of their terrain and detailed options for uncovering or responding to threats against their organization. These courses of action can be fully automated or require human intervention to choose from one of several recommended best courses of action.

Conclusion

Traditional cyber security solutions focused on a “set it and forget it” approach for simplicity and efficiency. Unfortunately, while this approach may be effective at catching low-level threats, it will also allow advanced attacks to proliferate undetected. The cyber fight cannot be won by deploying individual technologies focused on singular issues. Enterprise cyber security solutions must consider the comprehensive set of capabilities needed to continuously protect, detect, and respond to all threats in cyber-relevant time. Network traffic analysis solutions must increase the discovery, identification, situational awareness, and integrate with rapid response capabilities to reduce cyber dwell time, providing the adversary the least amount of opportunity to achieve lateral movement and remove critical data from your enterprise.

The first step in doing this is gaining back control of the security stack and molding it to fit a more proactive security approach going forward.

view counter
Craig Harber joined Fidelis Cybersecurity as Chief Technology Officer following a distinguished career at the National Security Agency (NSA), and most recently USCYBERCOM, where he held senior technical roles driving major initiatives in cybersecurity and information assurance, having far reaching strategic impact across the Department of Defense (DOD) and Intelligence Community (IC). During his career at the NSA, Harber earned a reputation as a respected authority on technical strategies to fully integrate and synchronize investments in cybersecurity capabilities. He invented the threat-based cybersecurity strategy known as NIPRNet SIPRNet Cyber Security Architecture Review (NSCSAR) that provided DOD policymakers a framework to objectively measure the expected value of cybersecurity investments. He transformed Active Cyber Defense concepts into capability pilots, commercial product improvements, industry standards, and operational solutions. He also directed the Integrated Global Information Grid (GIG) IA Architecture; raising the importance of IA to all warfighting platforms resulting in multi-billion dollar increase in DOD IA investments.