Closing the door before the horse bolts: Developing a proactive network detection and response (NDR) strategy
By Adrian Jones, UK country manager, Gatewatcher
It is an unfortunate truth that most cyber-security is reactive. Despite huge investment and innovation in technologies and skills, it is only after an attacker has achieved their objectives, that organisations usually discover that a serious incident has occurred.
In these instances, businesses only learn after a major attack or breach. There have been numerous lessons: from Cam4 to LinkedIn, Yahoo to Marriott or Uber, Home Depot and Facebook, the list of companies that have experienced network breaches continues to grow.
So why – despite the innovation of vendors, and the resources spent by target companies – can businesses not get on the front foot? What frustrates the efforts of the security operations centre (SOC) at these organisations? And how can it be remedied?
Devices x security x management
The main challenge for organisations stems from how to manage the security of the network and all the devices which connect and communicate across it, effectively. This has become a ‘cubed’ threat: more devices, multiplied by more security, leading to increased management.
These devices include corporate machines, Bring Your Own Devices (BYOD) hardware, Internet of Things (IoT) sensors, as well as the network infrastructure itself, such as routers and switches. Organisations may also have manufacturing, operational or Industrial Control System (ICS) environments using protocols such as Supervisory Control and Data Acquisition (SCADA). Lastly, the continual growth of ‘Shadow IT’ must also be accounted for because it can be vital to improved productivity.
Having an effective security strategy to cover all these technologies and scenarios requires multiple products. Multi-vendor security products lead to multiple dashboards, correlating all the events and alerts across the different platforms. This creates complexity and is a challenge to both network and security teams.
Despite the best efforts of the latest Security Orchestration, Automation, and Response (SOAR) software, the volume of notifications from systems flagging changes or anomalies becomes overwhelming. False positive alert fatigue – where staff become desensitized to the alert and fail to act appropriately – is all too common.
In effect, the holes in the net get bigger. Even before a business accounts for increasingly sophisticated threats, the number of alerts means that low noise, advanced persistent threats can stay undetected for months.
Into the unknown
The solution to this issue is improving the quality of the visibility across the network. In this respect, quality is determined by the delivery of relevant information, as opposed to large volumes of data, presented to human users and managers in a format that they can understand.
The objective is to detect and remedy issues before they arise. The adage: “You cannot hit what you cannot see,” is relevant. By enhancing visibility, an organisation can understand exactly what type of devices are on the network, what systems and applications are being used and which users are accessing these applications.
The devil is in the detail. Knowing more about a risk allows the organisation to control and mitigate that exposure, better and faster. Meaningful visibility of network traffic, is only the first step. In order to use this information to detect malicious or risky behaviour, businesses need a qualitative approach that makes sense of what they see.
This focus on quality also applies to the management tools themselves. Multiple, disparate systems make forensics and investigations overly complex. By integrating multiple, complementary technologies, far greater visibility can be achieved. Especially when reducing tens of management interfaces, to just one or two.
Integration and collaboration to improve visibility
This is the realm of complementary, effective technologies under the banner of Network Detection and Response (NDR) using Cyber Threat Intelligence (CTI) to identify tangible threats, as opposed to large numbers of anomalies.
Integrated with Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM) and SOAR, these systems can develop a comprehensive, robust strategy for detecting multiple threats across expansive networks. The are also able to forensically examine the details and history of any attack, dynamically across all assets
In short, businesses get both scale and detail. The holes in the net get smaller, even if the net itself is bigger.
This level of response from the cyber-security industry has been long overdue. The number of networked devices and the overall attack surface that can be exploited, will expand substantially. In 2022, the market for the Internet of Things alone is expected to grow to 14.4 billion active connections. It is expected that by 2025, there will be approximately 27 billion connected IoT devices.
Elsewhere, nearly half of endpoint devices are at risk because they are no longer on the information technology organization’s radar or critical software is outdated, according to recent research. This is made more pressing as businesses encounter occasions where they cannot apply cybersecurity technology on non-standard devices, such as those found in operational technology (OT).
The response after the detection
The good news is that prevention strategies do effectively mitigate common and easily identifiable threats. But even here, Advanced Persistent Threats and Zero Days are on the rise. As security vendors have evolved their technologies to incorporate Artificial Intelligence (AI) and Machine Learning (ML), so too, have adversaries.
The number of sophisticated, low noise, long-term attacks will only increase. Detection technologies must not only alert business to these refined attacks, but also keep false positives to a minimum, to avoid a repeat of the alert fatigue that created the issue in the first place!
The awkward truth is that attackers only need to succeed once. In the attempt to eliminate this opportunity, technologies can create large volumes of false positives that reduce the efficacy of the SOC, by making the haystack bigger.
Any SOC – and the protection it affords – is only as good as the analysts within it. Those analysts rely on the tooling and threat intelligence that they have at their disposal to ensure the visibility that is the key to the proactive security of the network.