Saryu Nayyar | CEO of Gurucul
Information Security Magazine
Enterprise networks are experiencing massive change, with cloud, IoT, and mobility, causing legacy perimeters to transition from private networks, to borderless infrastructures. Meanwhile, adversaries are using resourcefulness and perseverance to overcome legacy defenses to get a foothold inside the organization. Once there, assets are at risk and its a race against time to weed-out attackers’ footprints from the massive amount of data being generated in a typical corporate network.
Both network operations (NetOps) and security operations (SecOps) teams must utilize the tools at their disposal to fight back non-stop attacks every day and protect their organization’s data and reputation.
Limits of Traditional Network Monitoring
For example, the NetOps team assesses network traffic to identify threats within benign activity using traditional security tools, including firewalls, intrusion detection/prevention systems, anti-virus/anti-malware, and gateways. They are all necessary, but as point solutions operate in isolation they lack the ability to link events and flows across different networks, systems, endpoint devices, accounts and users to build context and provide end-to-end visibility.
Furthermore, since these tools rely on signatures or rules, they can only detect “known” threats while unknown threats for which there are no signatures or rules can slip right through to the network.
A different set of tools used for network monitoring try to assess the movement and performance of traffic, packets, bandwidth, uptime, ports, etc. These are geared to performance monitoring and troubleshooting, in other words, to ensure that everything is working as expected.
Some advanced solutions like deep packet inspection (DPI) are typically used for data mining, routing and blocking based on the known packet signatures or abnormal patterns.
Behavioral Approaches Offer News Insights
Both metadata and alerts generated by these tools can be very useful to a much broader type of threat assessment — one that is based on evaluating deviations in network behavior. This approach is known as network behavior analytics (NBA), or sometimes called network behavior anomaly detection (NBAD).
NBA provides deep visibility into unknown and undetected threats based on the abnormal behavior on an enterprise network, which enables NetOps team to prioritize investigations and response actions based on the risk severity.
While NetOps professionals have traditionally analyzed network data to identify and remediate operational problems, this can cause congestion, so NBA works to route data through a different part of the network. NBA uses network data and advanced analytical techniques to monitor for indications of a security threat.
This network traffic analysis approach focuses on behavior patterns attributed to all the entities (i.e., machine ids, IP addresses, etc.) associated with the network. It can also monitor and build behavior baselines using various attributes such as source IP address, destination IP address, source port, destination port, TCP flags, bytes-in, bytes-out, etc. Once baselines are created, all new activity of each entity is compared to its baseline to determine if the current activity relatively conforms or deviates from the historical norm.
Risk Scoring Reduces Noise
Behavior that deviates from an entity’s own baseline is evaluated for its degree of risk and if the risk appears to be high, NBA can raise an alert to a dashboard being monitored by network operators.
NBA is particularly useful for identifying new, unknown malware, zero-day exploits, and attacks that are slow to develop, as well as for identifying rogue behavior by network insiders (or those who are using a legitimate insider’s credentials). This approach is also helpful when the threat traffic is encrypted, such as the command and control (C&C) channel.
For example, consider a use case where an endpoint becomes infected with new malware for which there is no signature, and is not detected by anti-virus and anti-malware tools. Once on the endpoint, the malware begins changing the normal behavior of the device. NBA can detect the anomaly, raise it as suspicious behavior, and if directed to do so, trigger a mitigation action such as blocking communication activity for that IP address until further investigation — all in real-time or near real-time.
NBA is not a new approach; proponents have been talking about it for at least a decade. What is new in the advent of advanced technologies including Big Data processing, analytics and machine learning that provide the “intelligence” needed for NBA to accurately detect anomalous network behavior in real-time without human interpretation.
Instead of hunting for threats, NetOps and SecOps teams, which are already stretched to breaking point, can focus on remediating or investigating a much smaller subset of threats that have been escalated based on a multi-dimensional assessment of the security risk they pose.