Safeguarding enterprise assets is no longer just about protecting endpoints from malware, spam and phishing. Enterprise infrastructures are much more complex today than even a few years ago. In a bid to optimize processes and maximize profits, businesses are deploying cloud services, IoT and mobile solutions at an unprecedented rate. Keeping pace with digital demands can result in an expanded attack surface. This means cybersecurity chiefs need an approach that ensures enterprises are protected from both external and internal threats.
The effectiveness of an organization’s incident response capabilities poses a major challenge in the face of a constantly expanding threat landscape riddled with sophisticated attackers. Business leaders are aware of the risks associated with an attack on their IT infrastructure, and they know a breach is imminent if their security posture is weak.Additionally, the rising costs of downtime, incident response and recovery have revealed a worrying fact: security operations centers (SOCs) can no longer rely only on traditional security tools and processes to protect their organizations’ data. Late warning signs, limited support for incident response, unpatched endpoints, spotty detection of insider threats, and a long stream of false positives give attackers the advantage.
If these concerns were not enough, studies also show that SOC teams are feeling overburdened, and CISOs are no longer coping with the responsibilities of their job. Information security chiefs today are looking for ways to modernize their security architecture, to improve their ability to quickly detect and effectively respond to advanced attacks, and to stop losing sleep over the fear of single-handedly sinking their business.
The race for superior threat detection
Traditional solutions are no longer useful in the face of advanced threats, and new approach is needed–one designed to catch malicious activity in transit, before it can reach any endpoint on a targeted infrastructure. Thus, Network Traffic Analytics (NTA) was born.
Endpoint protection solutions are great at preventing the execution of threats at the endpoint level. They can even detect advanced attacks that pass through some of the prevention layers. NTA augments EPP by adding specialized detection for the most advanced threats, at the network level. This means SOCs get a bird’s eye view of all network activity to detect breaches and malicious or irresponsible user behavior, and also have access to additional historic information for regulatory compliance (PCI, GLBA, NIST and GDPR) and other retroactive investigations.
Industry watchers agree. According to Eric Ogren, an analyst with 451 Research, “What network traffic analytics sees is what is actually happening in the business in real time, with the possibility to thwart attacks before catastrophic damage occurs.”
“Network traffic analytics (NTA) is fast becoming the easiest-to manage choice to detect infected devices, track account activity and catch data being staged for later exfiltration. NTA goes beyond catching unauthorized east-to-west traffic and improper use of protocols, to include alerts when clients start acting as servers, signs of ransomware via suspicious file share activity, connections to external domains within a few milliseconds of opening an email attachment, and more.” Ogren said.
High fidelity threat reports – the key to a SOC team’s success
Probably the biggest benefit of NTA technology is that SOC teams get intelligent, automated alert triage.Automated triage significantly improves incident response. It makes incident security investigation approachable and affordable for organizations stretched between limited resources and significant cyber risks. Additionally, it provides “security visibility” into network traffic using reasoning (AI/machine learning and behavior analysis) with insights from cloud threat intelligence. An efficient NTA implementation automatically detects threats for all entities, managed or unmanaged, for encrypted or un-encrypted network traffic.
The ideal NTA deployment must be capable of automating security incident alert processing and provide context, enabling security operations to stay focused on incidents that really matter, reducing the risk of overlooking important security incident alerts.
With cyber incidents continually on the rise, high fidelity threat reports are key to empowering SOC teams to detect attacker tactics and techniques, to sniff out risky user activity, to improve analysts’ threat-hunting efficiency, as well as to achieve regulatory compliance.
About the author: Filip Truta is an information security analyst with more than twelve years of experience in the technology industry.
Copyright 2010 Respective Author at Infosec Island