Authored By: Jeff Costlow, Deputy CISO, ExtraHop
One of the great questions for this era of IT has to be how we organise data. We’ve certainly got enough of it—an unmanageable ocean of it, in fact.
When GDPR landed in 2018, businesses across the world, including in Singapore, found themselves scrambling to discover, organise, and encrypt the incredible leagues of data that they never knew they had. We are seeing a similar response to the California Consumer Privacy Act that went into effect at the start of this year, putting greater restrictions around how companies can collect and use data.
Data on its own doesn’t provide great value if it isn’t correlated with other sources. And when you have a massive amount of data, it becomes troublesome to understand what is most valuable to protect especially when it’s siloed.
This is particularly troublesome for the Security Operations Centre (SOC), which is awash in a sea of data, but without the right tools to correlate what is most critical. The average SOC receives thousands of alerts a day, tiring its senses and turning a security platform into the boy who cried wolf. With cyber crime cases accounting for almost 20 percent of all crime in Singapore, according to the Cyber Security Agency (CSA), it is imperative that SOCs are able to quickly analyse data from across the hybrid environment to identify increasingly sophisticated threats.
To understand the different types of data that is most important to organisations, it helps to consider “The SOC Visibility Triad”—a term coined by Gartner, -- referring to the three types of visibility a SOC might need to get the best possible view of threats. The triad classifies three kinds of data: logs within a Security Information and Event Management (SIEM); agent data from endpoint detection and response solutions (EDR); and network data from network detection and response solutions (NDR).
The three datasets are critical to the effective functioning of a SOC. SIEM and EDR are most understood and the most commonly deployed but they often lack the critical data needed to fully protect the enterprise. Worse, log and endpoint data can be missed or tampered with because agents can be turned off by adversaries and logging can be disabled causing an intolerable blind spot in your visibility. On the other hand, network data can not be tampered with and is as close to ground truth on the network as you can get.
By focusing on the network data, Network Detection and Response (NDR) is the most effective solution to unearth anomalies on your network missed by other tools—the ones that really matter. When an attacker’s dwell time averages three or more months inside an enterprise before detection, it opens the door for potentially catastrophic consequences. NDR passively analyses network data in real time and uses that data to inform augmented and automated response actions, providing better detection of events and faster mean time to resolution (MTTR).
Unlike firewalls or other perimeter solutions which watch the north-south route (the traffic that is coming in and out of a network), NDR products can watch the east-west route—the internal space in a network that is often a blind spot for the SOC. Furthermore, the best NDR solutions can safely decrypt traffic enabling you to uncover malicious payloads before they enter the network. NDR is especially crucial for detecting advanced adversaries who are “living off the land” by methods of exploiting existing tools and escalating privileges to get to the critical data.
As organisation's migrate to the cloud a dangerous gap in visibility into the hybrid network impacting cloud security has emerged. This means that SOCs don’t have visibility into a sizable amount of traffic between on-premises and in the cloud. To solve this problem NDR tools that can analyse cloud traffic will extend visibility from the data center into the hybrid cloud. NDR provides this critical visibility by mapping all cloud instances and using the traffic mirroring features available from the leading cloud vendors.
Finally, the public cloud is maturing, giving cloud-first enterprises the opportunity to restore the missing link in the SOC Visibility Triad and ensure that if and when perimeter security fails, they’re able to analyse suspicious behaviour and respond to threats as soon as they appear.
Understanding your network is the key to facing modern threats. An NDR platform is the solution to the problem of data silos within the organisation. It breaks down the artificial barriers that keep data siloed and ensures the SOC gets the network data it needs, making a world of difference to an organisation’s security stance.
As NDR increasingly assumes its proper role as one arm of the SOC Visibility Triad, cloud-first enterprises should make sure their entire attack surface is secure, from the data centre to remote sites. Their NDR solution should use the power of the cloud’s compute resources to carry out sophisticated analysis of network data. Going beyond mere alerts, they must index and store metrics for streamlined investigation, and provide continuous packet capture for deeper forensic investigation. It should put insights in context for the organisation and deliver information intuitively.
Enterprises that have yet to commit to cloud adoption or other innovative strategies should be able to rest easy, knowing their NDR is the fail-safe that will protect the organisation at any time, in any scenario.