Four Ways Network Traffic Analysis Benefits Security Teams


The march towards digital transformation and the growing volume of cyber attacks are finally pushing IT and network security teams towards better collaboration. This idea is not new, but it is finally being put into practice in many large companies.

Network traffic analysis and security

The reasons are quite simple: all these new transformation initiatives – moving workloads to the cloud, pursuing virtualization or SD-WAN projects, etc. – Create blind spots for network traffic that cannot be easily monitored using security tools and processes designed for traditional, on-premises architectures. This result is a series of islands of data and systems, a spread of tools and a lack of correlation. Basically, there is a lot of data, but little information. As the organization grows, the problems get worse.

For a business affected by a cyber attack, the final cost can be astronomical as it includes investigation and mitigation costs, costs related to legal risks, insurance increases, acquisition of new tools, implementation implementing new policies and procedures; and boosting revenue and reputation.

Size doesn’t matter – all businesses are vulnerable to attack. To improve organizational security postures in this new hybrid network environment, Security Operations (SecOps) and Network Operations (NetOps) teams quickly become friends. In fact, Gartner recently changed the name of one of its market segments from “Network Traffic Analysis” to “Network Discovery and Response” to reflect the changing demand for more focused network analysis solutions. Security.

Here are four ways that network data in general and network traffic analysis in particular can benefit the SecOps team at the Security Operations Center (SOC):

1. Enabling behavior-based threat detection

Signature-based threat detection, found in most anti-virus and firewall solutions, is responsive. Vendors create signatures for malware when it appears in the wild or authorize it from third-party sources such as Google’s VirusTotal, and update their products to recognize and protect against threats.

While this is a useful way to quickly filter out all known dangerous files from entering a network, the approach has limitations. Most obviously, signature-based detection cannot detect new threats for which no signature exists. But more importantly, an increasing percentage of malware is masked to avoid signature-based detection. Research by network security firm WatchGuard Technologies found that one-third of all malware in 2019 could escape signature-based antivirus, and that number reached two-thirds in the fourth quarter of 2019. These threats require attention. different detection method.

Network Traffic Analysis (also known as Network Discovery and Response, or NDR) uses a combination of advanced analytics, machine learning (ML), and rule-based detection to identify suspicious activity across the network. . NDR tools consume and analyze raw traffic, such as packet data, to create patterns that reflect normal network behavior, and then trigger alerts when they detect abnormal patterns.

Unlike signature-based solutions, which typically focus on keeping malware out of the network, most NDR solutions can go beyond north-south traffic to also monitor east-west traffic, as well as traffic. cloud native. These capabilities are becoming increasingly important as businesses go virtual and embrace the cloud. NDR solutions thus help SecOps detect and prevent attacks that may escape signature-based detection. To function, these NDR solutions require access to high quality network data.

2. Provide data for security analysis, compliance and forensics

The SecOps team will often need network data and behavioral insights for security scans or compliance audits. This will typically require network metadata and packet data from physical, virtual, and native network elements deployed in the data center, branch offices, and multi-cloud environments.

The easier it is to access, index and make sense of this data (preferably in a “single pane of glass” solution), the more value it will add. Obtaining this information is quite feasible, but will require a mix of physical and virtual network probes and packet brokers to bring together and consolidate data from different corners of the network to process and push it to the stack. security tools.

NDR solutions can also provide the SecOps team with the ability to capture and retain network data associated with Indicators of Compromise (IOC) for rapid forensic investigation and analysis in the event of an incident. This ability to capture, save, sort and correlate metadata and packets allows SecOps to investigate violations and incidents after the fact and determine what went wrong, and how the attack can be better recognized and avoided in the future.

3. Provide better network visibility for better security automation

Qualified security professionals are scarce and their time is extremely valuable. Automating security tasks can help businesses resolve incidents faster and free up time for the SecOps team to focus on more important tasks. Unfortunately, visibility and automation only work based on data quality and granularity – and too little or too much can be a problem.

Too little data and automated solutions are just as blind as the SecOps team. Too much data, in the form of a threat detection system issuing too many alerts, can result in a ‘crying wolf boy’ scenario with automated responses shutting down accounts or workloads and doing more. bad than good.

Missing data, too many alerts, or inherent blind spots can mean that the machine learning and analytics models that NDR relies on will not perform well, producing false positives while missing threats. real. In the long run, that means more work for the SOC team.

The key to successful automation is having high-quality network data to enable accurate security alerts, so that responses can be automated.

4. Decreased malware residence time

NDR solutions typically have little or no blocking capability as they are typically not deployed online (although that choice is up to IT teams). But even so, they are effective in shortening the incident response window and reducing malware dwell time by quickly identifying suspicious behavior or traffic. The results of NDR tools can be fed into downstream security tools that can verify and remediate threats.

Malware residence time has steadily declined across the industry; The 2019 Verizon Data Breach Investigation Report (DBIR) found that 56% of breaches took months or more to detect, but the Verizon 2019 2020 DBIR Data Breach Investigation Report found that revealed that 81% of data breaches were contained within days or less. This is an encouraging statistic and we hope SecOps teams will continue to partner with NetOps to reduce it even further.

The benefits of network discovery and response or analysis of network traffic go far beyond the traditional realm of NetOps. By working together, NetOps and SecOps teams can create a strong visibility architecture and practice that strengthens their security posture, leaving organizations well prepared in the event of an attack.

Complete network visibility allows security teams to see all relevant information through a security layer, use behavior-based or automated threat detection methods, and be able to capture and store relevant data for in-depth analysis in order to investigate and respond to any incident.

Source link

Leave A Reply

Your email address will not be published.