How Network Visibility Enables the Detection and Response Mission

How Network Visibility Enables the Detection and Response Mission

A quick read of current data breach statistics shows that even the most well-resourced enterprises continue to get hit by security breaches. The reality is that prevention strategies and controls simply can’t keep up with the exponentially growing attack surfaces. Network visibility is one of the several tools that can help advance the detection and response mission. The NIST cybersecurity framework states that this mission must now include finding and expelling attackers before sensitive data can be discovered and ex-filtrated.

One of the major challenges with Detection and Response is being able to condense high alert volumes down to actionable incidents. Network Visibility helps by providing a complete history of all network activity and metadata.This history enables the security analyst to quickly validate alerts; and when an infection is found, determine the nature and extent of the incident so an effective response can be executed.

Network Visibility Use Cases

The Masergy Network Visibility Tool provides a complete network record by capturing real-time NetFlow metadata from critical points on the network (including integrated sensors and third-party firewalls, switches and routers) and readily presents it to the security analyst so it best highlights relevant security issues. Whatever the malicious activity may be, attackers can’t hide because their actions are always enabled by the network.

Here are some powerful use cases for the Network Visibility Tool:

Critical Asset Monitoring

A large retail customer has a critical payment database that should only connect with three other systems on defined ports and protocols: anything else is likely malicious activity. A Network Visibility Tool rule is simple to configure and will quickly identify such activity.

Enable the Threat Hunting Mission

Threat Hunting is an aggressive defense strategy that makes the assumption the attacker is already within the network. Instead of waiting for the attacker to (hopefully) trip alerts, the threat hunting team looks for early indicators of suspicious activity and then actively goes sleuthing for evidence of intrusion. An example investigation trigger is the assumption that any Secure Shell (SSH) traffic passing the firewall is highly suspect. At the application layer, next-generation firewalls will identify any SSH traffic and label it with NetFlow v10 (IPFIX), which is then picked up by the Network Visibility Tool. The threat hunting team can then investigate which internal systems started the outbound SSH session, and also pivot to Endpoint Detection and Response (EDR) tools to further flush out the culprit and intent.

Retrospective Threat Intelligence Matching

Threat Intelligence matching is a critical capability for defending against the latest sophisticated attackers. However, it is a time-sensitive process because attackers quickly pivot to new command & control and data exfil IP addresses making it less effective. Because the NVT records a complete history of network activity, threat intel matching can be done retrospectively and therefore can still identify infected systems even though the attacker maybe quickly fluxing IP addresses.

Alert Triage

New Endpoint Detection and Response (EDR) tools are effective at identifying installed malware. However, alerting is often behavioral based and therefore may need additional vetting. To increase alerting confidence, the analyst can use the Network Visibility Tool to quickly assess the identified endpoint for other indicators such as:
  • Unusual connections to sensitive internal systems
  • Unusual external data transfers
  • Outbound port scans
  • P2P LAN traffic (e.g. port 445 - for Wanna Cry)

Choose Masergy for Managed Detection and Response

Masergy is the only provider in the Managed Security space that is integrating network visibility as part of its core service offering. We’re also making Network Visibility available to current Managed Security customers at no additional cost.

Join Masergy for a live webcast on October 11th, at 10 am CDT to learn more about these and other key use cases for the network visibility tool. Please register at maser.gy/network-visibility-webinar.

About Jay Barbour

Director of Security Product Management, Masergy
Jay brings more than 17 years of security experience to Masergy as Director of Security Product Management. He is responsible for the product vision of Masergy’s managed security services and leads the product team on execution. Previously, Jay was Director of Security Advisory Services for BlackBerry where he advised large enterprises and government agencies on mobile security. Other positions he has held include Vice President of Marketing at Intrusion, and Vice President of Product Management at Scansafe (now Cisco). Jay holds a degree in Engineering Physics from Queen’s University, Canada, an MBA from INSEAD, France, and is a Certified Information Systems Security Professional (CISSP).

We use cookies to improve your web experience, better understand how our site is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. Read more and make cookie choices by visiting our privacy policy.