Once considered the eminent domain of networking teams, network telemetry data is becoming a requirement to provide security analytics with a more complete view of enterprise threats.
Leslie K. Lambert
www.csoonline.com | June 7, 2018
In the days when organizations defended the network perimeter tooth and nail, they relied on a myriad of technologies, tools and procedures. Specialized skills were required to configure and manage this trifecta. Meanwhile, an equal measure of superhuman knowledge and skills was required to manage the health and performance of the network.
Advanced tool sets were created to monitor the intricate internal workings of networks. The data captured by these tools was often held very close to the vest by secretive brotherhoods of network managers. Making it nearly impossible for IT or security teams to get access to precious networking data feeds in order to analyze activity occurring across the enterprise computing environment.
Network data is security intelligence
Occasionally, as downstream recipients of data which exposed network infrastructure misconfigurations or problems, security teams were forced to engage in thorny conversations with their network peers, like this one: “Umm, we think your networking devices may not be configured properly.” Response: “How dare you?”
The advent of new analytical tool sets which can root out security risks by detecting anomalous activities through the use of artificial intelligence and machine learning requires the most complete collection of aggregated data available. Including data from networking tools and devices. For example, network flow content has evolved over the last few years, from providing basic hard-coded information elements to a more flexible model which has made newer NetFlow data far more meaningful and valuable for security monitoring purposes.
So while organizations have performed siloed network monitoring for years to understand and solve traditional challenges, such as “has network penetration occurred,” “can we optimize traffic flows,” etc., mounting security threats now demand that we step up to what is being called network behavior analytics.
Achieving greater visibility
With so much more activity taking place on enterprise networks than ever before thanks to the cloud, bring your own device (BYOD) and the internet of things (IoT), the attack surface has expanded exponentially. In fact, it has reached the point where traditional tools like firewalls, intrusion detection systems (IDS) and SIEMs are no longer capable of keeping pace with the increased level of vulnerabilities present in our networks.
Network behavior analytics, on the other hand, has the potential to provide the visibility into threats that are not detected by traditional networking tools and equipment. Unlike approaches designed to detect specific network or endpoint intrusions, network behavior analytics monitors network traffic flows to establish a baseline of normal activity, and then looks for anomalies.
As with any form of analytical modeling, a single behavioral shift is usually not sufficient to warrant an investigation, yet multiple behavioral anomalies should raise alarms. Network behavioral analytics looks to detect changes across multiple activity data sources and link these to other threat indicators. By modeling incoming data against unique behaviors, suspicious activity can be accurately detected, risk scored and alerted on to invoke further investigation or remediation actions.
Identifying the man-in-the-middle
Let’s consider a couple of use cases to illustrate the benefits of network behavior analytics.
Man-in-the-middle attacks, which involve compromising the secure communication between two parties, is a good one. A typical man-in-the-middle attack takes place when an adversary makes independent connections with each victim and then relays messages between them, making them believe they are communicating directly with each other.
One of the most popular and frequent forms of man-in-the-middle attacks involves unencrypted public wireless networks. In this scenario, an attacker within reception range injects her/himself between unwitting Wi-Fi users and the Wi-Fi service provider to send false information to one or both parties, distribute malware-ridden advertisements, etc.
With the massive number of wireless devices in use and the ubiquity of public Wi-Fi networks, it’s a recipe for disaster. Especially since many free Wi-Fi networks are fraught with security issues and should be used with extreme caution.
Network behavior analytics can be used to monitor network traffic patterns and root out the details related to the who/what/where/when of activity. This can be accomplished by creating risk profiles and machine learning models that can identify rogue DHCP, SSH or TLS traffic associated with man-in-the-middle attacks in near real-time.
Shedding light on user account threats
Another example is the use of network behavior analytics to detect credential misuse by a particular account that has successfully authenticated to a number of different nodes on a network. Traditional approaches for defending against this type of threat have focused on monitoring the network for failed and repeated login attempts by rogue user accounts – commonly known as brute force attacks.
A new approach, using network behavior analytics, is more fine-grained. First, a machine learning model is used to establish a baseline for the average number of hosts a user account authenticates to on a daily basis. When anomalies to this baseline are detected, a risk score is assigned to them based on several factors including number of excessive logins, whether it is a regular, privileged or domain administrator account, the business criticality of the hosts being accessed, and more. This same model could be used to detect and alert on behavior typically associated with compromised accounts.
As with any analytics-driven system, the reliability of network behavior analytics is determined by the quality and completeness of data ingested from upstream sources. Without no perimeter to defend, security and networking teams need to pool their data sources to support the common goal of neutralizing attacks before any significant damage is done. This can be accomplished by using all the IT telemetry at their disposal.