Four Ways Network Traffic Analysis Benefits Security Teams

The march towards digital transformation and the growing volume of cyberattacks are finally pushing IT and network security teams towards better collaboration. This idea is not new, but it is finally being put into practice in many large companies.

Network traffic analysis and security

The reasons are quite simple: all these new transformation initiatives (moving workloads to the cloud, pursuing virtualization or SD-WAN projects, etc.) are creating network traffic blind spots that cannot be easily monitored. using security tools and processes designed for simpler processes. , traditional architectures on site. This result is a series of islands of data and systems, a proliferation of tools and a lack of correlation. Basically, there is a lot of data, but little information. As the organization grows, the problems get worse.

For a business victim of a cyberattack, the final cost can be astronomical as it includes investigation and mitigation costs, costs related to legal exposure, insurance increases, acquisition of new tools, the implementation of new policies and procedures, and the blow to turnover and reputation.

Size doesn’t matter – all businesses are vulnerable to attack. To improve organizational security postures in this new hybrid network environment, security operations (SecOps) and network operations (NetOps) teams are quickly becoming friends. In fact, Gartner recently renamed one of its market segments from “Network Traffic Analysis” to “Network Detection and Response” to reflect the changing demand for more focused network analysis solutions. Security.

Here are four ways that network data in general and network traffic analysis in particular can benefit the SecOps team at the Security Operations Center (SOC):

1. Enable behavior-based threat detection

Signature-based threat detection, found in most antivirus and firewall solutions, is reactive. Vendors create signatures for malware as it appears in the wild or authorize it from third-party sources such as Google’s VirusTotal, and update their products to recognize and protect against threats.

While this is a useful way to quickly block all known dangerous files from entering a network, the approach has limitations. The most obvious is that signature-based detection cannot detect new threats for which no signature exists. But more importantly, a growing percentage of malware is obfuscated to avoid signature-based detection. A study by network security firm WatchGuard Technologies found that a third of all malware in 2019 could evade signature-based antivirus, and that number rose to two-thirds in the fourth quarter of 2019. different detection method.

Network traffic analysis (also known as network detection and response, or NDR) uses a combination of advanced analytics, machine learning (ML), and rules-based detection to identify suspicious activity across the entire network . NDR tools consume and analyze raw traffic, such as data packets, to create patterns that reflect normal network behavior, then trigger alerts when they detect abnormal patterns.

Unlike signature-based solutions, which typically focus on off-network malware protection, most NDR solutions can go beyond north-south traffic to also monitor east-west traffic, as well as cloud native. These capabilities are becoming increasingly important as businesses go virtual and favor the cloud. NDR solutions thus help SecOps detect and prevent attacks that can evade signature-based detection. To work, these NDR solutions require access to high-quality network data.

2. Provide data for security analysis, compliance and forensics

The SecOps team will often need network data and behavioral information for security scans or compliance audits. This will typically require network metadata and packet data from physical, virtual, and cloud-native network elements deployed in the data center, branch offices, and multi-cloud environments.

The easier it will be to access, index and make sense of this data (preferably in a “single panel of glass” solution), the more value it will bring. Obtaining this information is entirely doable, but will require a combination of physical and virtual network probes and packet brokers to collect and consolidate data from different corners of the network in order to process it and pass it to the stack. security tools.

NDR solutions can also provide the SecOps team with the ability to capture and persist network data associated with indicators of compromise (IOC) for rapid forensic research and analysis in the event of an incident. This ability to capture, record, sort, and correlate metadata and packets enables SecOps to investigate breaches and incidents after the fact and determine what went wrong, and how the attack can be better recognized and warned in the future.

3. Provide better network visibility for better security automation

Qualified security professionals are rare and their time is extremely valuable. Automating security tasks can help organizations resolve incidents faster and free up time for the SecOps team to focus on more important tasks. Unfortunately, visibility and automation only work as well as data quality and granularity – and too little or too much can be a problem.

Too little data and automated solutions are just as blind as the SecOps team. Too much data, in the form of a threat detection system issuing too many alerts, can result in a “boy crying wolf” scenario with automated responses shutting down accounts or workloads and doing more bad than good.

Missing data, too many alerts, or inherent blind spots can mean that the machine learning and analytics models that NDR relies on won’t perform well, producing false positives while missing real threats. In the long run, this means more work for the SOC team.

The key to successful automation is having high-quality network data to enable accurate security alerts, so responses can be automated.

4. Decreased malware dwell time

NDR solutions typically have little or no blocking capability because they are typically not deployed online (although that choice is up to IT teams). But even so, they are effective in shortening the incident response window and reducing malware dwell time by quickly identifying suspicious behavior or traffic. Results from NDR tools can be integrated with downstream security tools that can verify and remediate threats.

Malware dwell time has been steadily decreasing across the industry; the 2019 Verizon Data Breach Investigation Report (DBIR) found that 56% of data breaches took months or longer to be detected, but the Verizon 20192020 DBIR Data Breach Investigation Report found that 81% of data breaches were contained within days or less . This is an encouraging statistic and we hope SecOps teams will continue to partner with NetOps to reduce it even further.

The benefits of network detection and response or network traffic analysis go far beyond the traditional realm of NetOps. By working together, NetOps and SecOps teams can create a strong visibility architecture and practice that strengthens their security posture, leaving organizations well prepared in the event of an attack.

Complete network visibility enables security teams to see all relevant information through a security layer, use behavior-based or automated threat detection methods, and be able to capture and store relevant data for in-depth analysis to investigate and respond to any incident.

Charles J. Kaplan