Why IT SecOps analysts need more than endpoint agents and system logs

Endpoint agents and logs often play an important role in securing your organization. That said, despite the investment of millions into endpoint agents, IDS/IPS, and SEIM, many organizations have still been on the wrong end of a successful cyberattack. Why is this the case? 

The unfortunate reality is that many attacks occur after a cybercriminal has gained access to the network through a legitimate source or approved service. What’s more, log endpoint threat detection and logs may be of no defense for insider threats. For these reasons, it’s important that IT staff have omnipresent visibility into unmonitored communications across the network. Access to this level of visibility can help them better detect threats and understand the scope of a cyberattack. 

In my experience, many IT security operations personnel depend heavily on end-point agents and system logs that have a limited view of their network traffic. These organizations may have NetFlow analytics from perimeter Internet Gateway routers or firewalls, but they do not have visibility of the core networks where business-critical systems exist. This level of visibility, however, is often essential to detect threats and thoroughly investigate malicious activities and cyber threats.  

I certainly do not mean to imply that endpoint agents are not useful. Endpoint agents are a necessary security control, supplying needed intel from an operating system and application level. That said, endpoint agents are effective only on systems on which they are installed. These controls are not guaranteed to alert on zero-day or supply chain attacks using trusted third-party systems, injected code, backdoor, or reverse shell connection from an IoT (Internet of Things) endpoint. 

Log benefits and limitations (ideas): 

Log management platforms allow security professionals to troubleshoot, secure, investigate or debug problems at a systems level. They supply valuable security-related insights into systems and application events. When beginning a security investigation using a log management solution, you risk not pulling enough information when executing a query from a broad perspective. When trying to dive deeper, the data volume is much larger, and the sheer number of details will cloud vital information that could be directly related to the investigation.  

Logging must be configured on the OS and enabled on the respective systems. There is a cost for historical retention and volume, and they are only as good as where they are enabled. If a threat actor has escalated privileges, logging could be disabled on a breached system. Without a detailed overview of the threat, TTP (Tactics Techniques and Procedures). When using log data as a source of investigative insight, it’s challenging to figure out whether an activity is normal or nefarious. Logs are also notoriously complicated to collect in Cloud environments. 

As IT security professionals, it’s your goal to collectively define, implement and support solutions and procedures to best protect your business against malicious attacks, unauthorized access, and accidental breaches. You do this with the intent to improve your ability to answer puzzling questions from applications, systems, and networking perspectives to stop cyberattacks. To be truly effective in your efforts, though, you need visibility into communications over business-critical LAN (Local Area Networks) or east-west internal network traffic—this visibility complements organizational investments in SIEM and endpoint technologies. 

The best way to gain complete visibility is to implement an analysis solution that ingests network flow data. Attackers cannot hide from the data; they need to use it to get what they need after all. A flow-based network detection and response (NDR) platform can give you important intelligence about the behavior and use of networking and application resources. In turn, you can find potential security or policy violations more quickly. When machine learning (ML) is applied to this rich dataset, security professionals can easily detect, alert, and investigate malicious behaviors and anomalous activities from network traffic patterns deep within the organization’s private networks. Threat detection, alerting, and hunting from ML algorithms alerting from historical network metadata is comparable to fishing with dynamite. 

With comprehensive network analytics, whether logs are enabled, or end-point agents are installed, security teams have a starting point of context to shut down breaches before any damage is done. Flow collection and analysis can be used to get a detailed overview of what is happening on the entire network; the incident response professional has the intel needed to conduct deeper investigations later after the threat is contained.  

With cyber threats increasing in recent months, CISA (Cybersecurity and Infrastructure Security Agency) Shields Up advisory has recommended that organizations and institutions ensure that “cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior.”  

Without network visibility and deep network behavior analysis, it can be nearly impossible to detect C&C (command and control) server attacks or malicious probing activities between unmonitored LAN (local area network) segments and systems. Validating the importance of network security visibility is crucial to protecting your customers’ data and hardening your defenses against cyber threats.  

With the myriad of sophisticated threat actors targeting diverse types of organizations and government agencies, keeping your IT infrastructure safe is vital to avoid full-scale attacks against your network. An attack can be greatly damaging, as it puts your data at risk but it can also damage your brand reputation. Considering that the collective IT cybersecurity mission is ultimately to protect against attacks and supply meaningful context to the IT staff responsible for keeping Intellectual Property and data private.  

Adding an NDR solution to your arsenal enables frontline operations and engineering staff to quickly detect and respond to anomalous early-stage malicious activity before the threat actor can set up shop within an environment and encrypt or steal sensitive information. Learn more about Plixer’s NDR solution here.