While debate continues on the recent report of Chinese microchips on US servers, the key takeway is network visibility. Industry expert, Jake Williams recently tweeted this particular point: “Most of us obviously don’t have the capabilities to inspect our motherboards for rogue chips, but we do have the ability to monitor network traffic”.
It matters not if you had this product or this technology. In reality, the advanced attacker gets in through any means possible, and your organization’s security comes down to how fast you are able to detect , investigate, and respond.
The critical capabilities of Network Detection and Response (NDR) are necessary for a robust network security:
- Detection of known attacks mostly based on signatures, rules, or known IOCs (threat intel).
- Machine learning-powered unknown behaviors detection.
- Full packet capture to enable network forensics and full compromise investigation
With threats designed to evade traditional, perimeter-based network security tools (firewalls and IDS/IPS) and attackers leveraging encrypted protocols to go below the radar and the future increased adoption of TLSv1.3, network visibility and deep analysis are more critical than ever. Especially in the case of third-party products as part of your product supply chain infrastructure. Implications can be devastating.
When I say Network Detection and Response what do I mean?
- Full packet capture. Native ingestion of north/south & east/west network traffic across your virtualized, on-premises, and private/public cloud environments across standard and custom protocols.
- “Hybrid” visibility. Especially in a cloud-operated world where the network is not yours anymore.
- Network session reconstruction. Capturing traffic helps, but most of the heavy-lifting is translating and putting the relevant pieces together, which is human-resource intensive. Something of note here: post-alert network recording is good, but fails to allow you to see beyond a point in a time to identify how widespread an attack is.
- Metadata. Metadata. Metadata. Network traffic payload analysis can be overwhelming, due to size and scale. Therefore, metadata extracted in real-time and available for security analyst to investigate is key for detection, analytics, and investigation.
- Endpoint detection and response. You are probably asking why I am adding EDR to the mix here. When I investigate, I always try to correlate data points between the network and the endpoint (originating network), so that I have additional context – not just for the attack TTPs, but for the business context of the host and user/machine operating it.
- Now that you have the needed visibility, the next step is to apply your threat detection content and advanced analytics to identify known and unknown malicious behaviors using:
- Behavioral analytics. From rule-based to machine learning data science models to identify abnormality in network traffic based on known patterns and unknown techniques. Using the MITRE ATT&CK framework, you can both evaluate your readiness against attacker known (and most common) TTPs, but also to have a more targeted approach when building your threat detection based on your organization most critical attack surface.
- Automated investigation. Last, but not least, network detection and response can be long and tedious. Automating the data ingestion, the metadata extraction, the collection of relevant evidence, correlation and enrichment with external sources, is highly advised to both reduce wasted time on false positives as well as focus your time on threat hunting!
Take one more step to up-level your SOC by extending existing detection, investigation, and remediation capabilities with Network Detection and Response. Provide security analysts the tools to uncover even the stealthiest threats.
# # #
Visit RSA NetWitness Network to learn more.
Author: Maor Franco
Category: RSA Fundamentals, Blog Post
Keywords: Detection, Detection and Response, Intelligent SOC, Network Security, RSA NetWitness Platform, SOC