How traffic analysis can help protect business networks [Q&A]
One of the biggest challenges that cybersecurity teams face at the moment is alert noise which can blind them to real threats.
Corporate performance management (CPM) specialist Prophix Software recently chose to adopt a network traffic analysis (NTA) solution to address this issue. We spoke to Kristofer Laxdal, the company's director of information security to discover why it chose invest in NTA technology and what benefits it's seeing.
BN: What types of security tools had you been using before and where did you find there were holes or blind spots?
KL: Visibility is the most critical component of security for us. We have a security incident and event management (SIEM) tool as a first line of defense and use other sources within our environment such as endpoint detection and response (EDR) and security orchestration and response.
While these tools give us a lot of insight across pieces of the organization, we found that correlating them to get a single, comprehensive view of everything on and across our network was a challenge. This is made more complex because we deal with so many different types of use cases.
We needed a platform that could look across our entire environment and give us a true assessment of all potential outliers and threats -- including indicators of compromise for ransomware; possible command and control servers; clear text passwords and bad domains and the traffic going to them; and even hard-to-detect models of data exfiltration (like those using DNS or ICMP).
All of this information has to be delivered in real-time in a way that would allow us to immediately react and remediate them if required.
The last requirement was finding something that could keep up with today's threats. We don't want to continually need to add new tools for the latest threat flavor of the month. We're constantly evolving our use cases, so having a consistent tool set that can adapt to these changes is critical.
BN: How did you land on network detection and response as the solution to fill those gaps?
KL: In evaluating solutions, we kept coming back to the fact that the network sees everything and provides objective realities other data sources often struggle with. The network detection and response category hasn't been around for long, but its solutions were able to give us that critical look across the enterprise and single source of truth that can help detect hard-to-find threats other tools might miss.
While other network security tools (firewalls, IDS and IPS, for example) monitor traffic that crosses the perimeter of a network, NDR offers us insight into threats that could reside within the network. Not only does it give our team broad visibility into a variety of communications in real time, it also allows analysis of encrypted traffic by analyzing full packet payloads without actually peeking into them -- an essential privacy capability in today's heavily regulated era.
NDR also supplements that visibility with cross-organizational insight that helps rationalize our vast data. It helps to track and profile all entities on the network and then attribute the behaviors and relationships to those entities in order to give our detection and response workflows ample context to react to its insights accordingly. By implementing NDR, what was once a process that took hours and required a high degree of skill from our security team could be largely automated and institutionalized.
BN: You evaluated several solutions. What were you looking for?
KL: At the highest level, we were looking to enhance our ability to identify modern attackers who have changed their tactics to circumvent malware-blocking defenses. This is the promise of NDR as a category, but not every solution lives up to the challenge in the same way.
When it comes to individual solutions, the biggest thing we were looking for was a clean and easy-to-navigate interface that would allow the team to focus on the real threats on the network -- without adding noise in terms of false positives and unnecessary complexity for our security team. This needed to involve automated context gathering around malicious activity in order to help our team more quickly and effectively mitigate potential risks.
Furthermore, we operate globally, so adhering to the principles of privacy regulations like GDPR in Europe and PIPEDA in Canada is a must. This comes into consideration when you think about analyzing encrypted traffic, but also means that we have a legal obligation to report if there is a data exfiltration. Understanding the nature of the data involved if there is an exfiltration saves significant time that our team would otherwise spend running these issues down.
Very critically, we also needed this to be available out-of-the-box so we could get up and running quickly.
BN: What were the biggest differences you found in evaluating these NDR tools?
KL: The data science was where we saw the most diversity between NDR providers. Based on the machine learning approach under the hood, some of the solutions we evaluated generated a ton of noise that wasn’t helpful to our security team. Others had complex user interfaces that would require training and would slow down the team for the foreseeable future.
We ended up selecting Awake Security largely for this reason -- both the underlying artificial intelligence and the user experience are much more streamlined and intuitive than other solutions we compared it against. Security tools today can often be too overwhelming, leaving the onus of uncovering the data necessary to make risk management decisions on the already stretched thin security team. Awake does well with the 'Goldilocks rule' surfacing just the right amount of data for me and my team to act.
Beyond that, we did see significant differences in how these solutions detected and flagged non-malware threats. Looking at Awake, there are hundreds of security use cases built into the system itself. And we were able to add new ones quickly and easily. That's important as we’ve seen malicious attackers evolving their techniques more quickly than ever before.
One other key difference was how these tools handled data and privacy. With our significant European customer base, we needed to ensure our NDR solution was conducting full packet capture, but in a privacy- and compliance-aware way.
BN: How has implementing NDR changed your security operations?
KL: There are several ways -- some tangible and some less so. For example, right now I have over one hundred use cases running in the background and looking for things like defense evasion and the use of proxies in order to hide data exfiltration, rogue hardware and devices that might be hiding on the network, brute force attempts against passwords and password spraying attempts.
We're also able to see potential data exfiltration over encrypted traffic in a way that's second to none.
As a whole, the security team has better visibility than before. They can single out devices to respond quickly and intelligently, understanding what type of device it is, who it's connected to, the exact problem and solution. This has not only made their jobs easier, but also changed our company’s culture around security. Instead of engaging people in painful and time-consuming investigative processes, our security team can resolve issues quickly -- which means our entire staff is more willing to adopt security policies, follow standards and generally be aware of their security-related practices.
We have also been able to re-focus the security team on the most critical situations at hand. It doesn't matter where something is occurring in our network -- and that includes wireless networks -- we have full situational awareness. We can see the traffic from any device plugged into the network at any time, identified and with context. Devices, domains and information are categorized using machine learning and the easy to use interface allows us to understand the full scope of an attack and the associated data flow.
IoT devices have recently emerged as a significant threat too. While we don't use many connected devices, we do have IoT entities behind our firewall -- things like food vending services that you might not normally think about as a security threat -- which we still needed visibility into. That's just one of many examples, and we're now able to confidently ensure that traffic won't fly under the radar in the case of a threat.
Ultimately, it is all about being able to say with confidence to the executives and the senior leadership team at the board level that by putting this tool in place we have visibility into east-west lateral movement as well as north-south exfiltration and command and control. We have a high degree of confidence that we are maintaining our security posture and all in a much more manageable way.