Boosting Cyber Resilience with Network Detection and Response
Would you know if a cyber adversary were to successfully break into your organisation? There are more threats than ever in today’s digital environment, and attack surfaces are constantly expanding due to the widespread adoption of cloud services, remote work, and complex hybrid cloud deployments.
Unsurprisingly, threat defence today isn’t focused on protecting against attacks alone, but about preventing them from making inroads and wreaking havoc. To achieve that, such threats must be detected fast, and appropriate responses taken to address them.
Moving beyond log files
As organisations seek to gain better visibility into their environments, the traditional approach on this front is to scrutinise system and application logs for abnormal activities. Often mandated by compliance regulations, log files are typically generated by any device with an IP address and can serve as an important entry point to help organisations pull back the veil on their systems.
Another option is network detection and response (NDR). By continually monitoring network traffic to detect and respond to threats, security teams gain relevant insights to react quickly to breaches and mitigate risks. Apart from serving as an additional lens for a clearer view of the environment, network data is much richer and offers a comprehensive, real-time view of what’s happening at any moment across the monitored environment.
Moreover, even a highly skilled adversary would be hard-pressed to completely obfuscate their network activities while achieving their objectives, whether stealing confidential information or exfiltrating files. And though it is a common adversarial practice to delete or modify log files during an attack, the same cannot be done to data transmitted over the network.
From file transfers, authentication attempts, or lateral movement to adjacent systems, everything that happens on the network can be replayed with absolute fidelity once captured using an effective NDR solution. Conversely, an organisation without visibility into its network would be hard-pressed to retrace the path taken by malware or cyber intruders as they traverse the network.
Addressing resource constraints
In a perfect world with unlimited storage capacity, an organisation could configure NDR to record every bit of data on their network. The reality is that even the largest organisations are constrained by budgets and must allocate finite resources with care. This often means intelligently planning the raw network traffic to record, based on their confidence in detecting an intrusion quickly.
Certain organisations and industries require full network capture and longer retention periods and will pay the price for storing it. But that is not the only option available. An alternative is to store only the metadata generated from some network traffic where full replay isn’t necessary. Metadata contains information that can be used to identify potential threats and anomalies while reducing storage costs dramatically.
Most cyber-mature organisations value this ability to choose to store both the raw network data as well as the associated metadata. An NDR solution which permits different retention periods between these two data sets provides the best flexibility in addressing the delicate balance between budgetary limitations and operational readiness.
When it comes to choosing the right NDR, another top consideration is its ability to integrate cleanly with existing IT systems and other cybersecurity solutions. Other important capabilities might range from features such as behavioural analytics, threat detection, or even the ability to sort potential threats in order of an organisation’s priorities for attention by a threat analyst.
It is worth noting that the U.S. government currently has a mandate for its agencies to retain full packet captures of their network traffic for 72 hours. And it’s not uncommon for government mandates to eventually carry over into the private sector.
Additional NDR considerations
Are there any additional considerations that organisations looking to deploy NDR today need to bear in mind? When network discovery and response technology first emerged a few decades ago, data was routinely transmitted in the clear through the network. Today, well over half the data transmitted through networks are typically encrypted and can sometimes go as high as 90 or even 100 per cent.
NDR can perform full packet capture and analysis with the appropriate setup and permissions. In an environment with a mix of unencrypted and encrypted traffic, a network traffic decryption appliance can bring back visibility into all of that hidden traffic.
But even in situations where network traffic decryption is not feasible, encrypted traffic still offers actionable insights that can be gleaned from their unencrypted headers. Specifically, packet size, timing, destination, and frequency of encrypted communications can help in identifying suspicious behaviours such as data exfiltration or command and control communication patterns.
NetWitness: A leader in NDR
NetWitness offers comprehensive visibility into your network traffic, both encrypted and unencrypted. With its advanced analytics and threat detection capabilities, security teams can identify and respond to threats more effectively and efficiently. Seamless integration with existing IT systems and cybersecurity solutions ensures a smooth deployment, minimising operational disruptions.
“One of the reasons that NetWitness has been so successful is the way we have architected our solution, which is scalable from a single-location small organisation up to the world’s largest multinational, multi-jurisdictional organisations. And we’ve done a great job keeping up with fundamental architectural changes like SASE, where our customers retain the essential visibility into that traffic."
– Ben Smith, Field Chief Technology Officer, NetWitness
To help security teams determine what assets matter most, NetWitness Insight combines packet visibility with historical forensics enriched with automated asset discovery and contextual information. Organisations can hence discover and gain visibility into network assets, known or unknown, for a comprehensive picture of network behaviour on which to base time-sensitive decisions.
To support remote workers and distributed teams, many organisations have turned to Secure Access Service Edge (SASE) for enhanced networking and security features. NetWitness integrates with leading SASE solutions to deliver unparalleled visibility into encrypted traffic, remote users, and cloud workloads.