With billions of conversations taking place on company networks and cyber attacks becoming more and more common, how easy is it in reality to define “normal” on your network and know when it’s under threat from suspicious behaviours and critical risks?
The biggest advantage organisations have in recognising attacks is the ability to know what “normal” looks like on their networks, whereas attackers do not. Completing an attack requires executing the cyber kill-chain, but many kill-chain steps (including probing and reconnaissance, command and control, exfiltration) can best be detected from within the network.
In this blog we look at how to combat this, and debunk some common questions on the topic.
We already have endpoint protection, isn’t that sufficient?
As a stand-alone security measure, endpoint detection and response (EDR) doesn’t work for printers, IP cameras, smart TVs, or other IoT “access points,” and certainly won’t work on guest or rogue devices.
It’s therefore important to build an additional layer of defence behind the firewall to detect anomalies and threats that can lurk in your network for weeks, months, or even years before executing a potentially devastating attack. These potential threats include:
- Unauthorised VPNs created for the purpose of exfiltration
- Tampered firewall policies
- Rogue machines – machines running in an unknown subnet
- Data traffic to prohibited countries (North Korea, Iran, etc.)
- Network Dark Spots – network misconfiguration increasing the risk of an attack going undetected
- Retired asset suddenly becoming active
- Unauthorised use of company IT resources
- Suspicious after-hours traffic
These types of activities are common to a wide range of attacks, including ransomware, Bitcoin
mining, cybercriminal hacking attempts, and malicious insiders.
How can this gap be filled?
A 3-step approach does the trick for alerting you when suspicious behaviours that risk the security of your critical IT assets are detected.
- Identify: It’s important to the assets, asset groups, and subnets on a network. It builds baselines of normal network behavior for those assets.
- Detect: Detects policy violations, anomalies, and threats to the network. Alerts are generated and an SOC analyst is able to make a determination if the alert is valid. A low false positive rate and explainable results are extremely important to keep SOC analysts productive and engaged.
- Respond: Once an alert is raised, even to another system like a SEIM, the alert needs to be analysed and understood by diving into the underlying network traffic. Learning from the result of an incident in order to produce more accurate results going forward is also a vital component of a good solution. The network data should be archived so that historical traffic can be analysed to understand the impact of newly discovered vulnerabilities or attacks.
What’s the solution?
Companies of all sizes are looking for an easy-to-deploy, comprehensive, and cost-effective solution that provides visibility across their networks through a security/risk lens. Because not every organisation is in a position to recruit enough (or any) cyber analysts to investigate every alert coming in from their existing security systems, tools that will identify and prioritise real potential security threats to maximise SOC analyst capabilities are crucial.
Network Defence as a Service (NDaaS) is designed to be part of an organisation’s layered security architecture. As such, it has the ability to integrate with all other surrounding security technologies, including SEIM, EDR, network access control (NAC), network performance monitoring and diagnostics (NPMD), and security orchestration, automation, and response (SOAR).
To prove compliance with relevant audit and regulatory requirements, modern organisations need reports that prove they are satisfactorily monitoring their networks. Because NDaaS is provided through the cloud, rather than via a physical security appliance, it can be deployed without the risk of long-term costs of appliance deployment and maintenance.