How Network Visibility Enables the Detection and Response Mission
A quick read of current data breach statistics shows that even the most well-resourced enterprises continue to get hit by security breaches. The reality is that prevention strategies and controls simply can’t keep up with the exponentially growing attack surfaces. Network visibility is one of the several tools that can help advance the detection and response mission. The NIST cybersecurity framework states that this mission must now include finding and expelling attackers before sensitive data can be discovered and ex-filtrated.
One of the major challenges with Detection and Response is being able to condense high alert volumes down to actionable incidents. Network Visibility helps by providing a complete history of all network activity and metadata.This history enables the security analyst to quickly validate alerts; and when an infection is found, determine the nature and extent of the incident so an effective response can be executed.
Network Visibility Use Cases
The Masergy Network Visibility Tool provides a complete network record by capturing real-time NetFlow metadata from critical points on the network (including integrated sensors and third-party firewalls, switches and routers) and readily presents it to the security analyst so it best highlights relevant security issues. Whatever the malicious activity may be, attackers can’t hide because their actions are always enabled by the network.
Here are some powerful use cases for the Network Visibility Tool:
Critical Asset Monitoring
A large retail customer has a critical payment database that should only connect with three other systems on defined ports and protocols: anything else is likely malicious activity. A Network Visibility Tool rule is simple to configure and will quickly identify such activity.
Enable the Threat Hunting MissionThreat Hunting is an aggressive defense strategy that makes the assumption the attacker is already within the network. Instead of waiting for the attacker to (hopefully) trip alerts, the threat hunting team looks for early indicators of suspicious activity and then actively goes sleuthing for evidence of intrusion. An example investigation trigger is the assumption that any Secure Shell (SSH) traffic passing the firewall is highly suspect. At the application layer, next-generation firewalls will identify any SSH traffic and label it with NetFlow v10 (IPFIX), which is then picked up by the Network Visibility Tool. The threat hunting team can then investigate which internal systems started the outbound SSH session, and also pivot to Endpoint Detection and Response (EDR) tools to further flush out the culprit and intent.
Retrospective Threat Intelligence MatchingThreat Intelligence matching is a critical capability for defending against the latest sophisticated attackers. However, it is a time-sensitive process because attackers quickly pivot to new command & control and data exfil IP addresses making it less effective. Because the NVT records a complete history of network activity, threat intel matching can be done retrospectively and therefore can still identify infected systems even though the attacker maybe quickly fluxing IP addresses.
Alert TriageNew Endpoint Detection and Response (EDR) tools are effective at identifying installed malware. However, alerting is often behavioral based and therefore may need additional vetting. To increase alerting confidence, the analyst can use the Network Visibility Tool to quickly assess the identified endpoint for other indicators such as:
- Unusual connections to sensitive internal systems
- Unusual external data transfers
- Outbound port scans
- P2P LAN traffic (e.g. port 445 - for Wanna Cry)
Choose Masergy for Managed Detection and ResponseMasergy is the only provider in the Managed Security space that is integrating network visibility as part of its core service offering. We’re also making Network Visibility available to current Managed Security customers at no additional cost.
Join Masergy for a live webcast on October 11th, at 10 am CDT to learn more about these and other key use cases for the network visibility tool. Please register at maser.gy/network-visibility-webinar.