In my last blog, I wrote about how the metadata collected by the multitude of behavior sensors already deployed across your network can provide the best early warning system you can find. Much like a radar system for on-water navigation, your network metadata is the fastest way to gain a sense of the potential dangers around you. But can it really provide the context you need to understand your network traffic comprehensively?
To understand that, we need to think like a bad guy. Since threat actors don’t have a road map of your network, they must go hunting for the things they want. They typically gain a foothold into a lesser protected area of your network—usually a laptop or a peripheral server—and then start to search for things of value. And that activity requires them to behave in certain ways. Rather than hunting for indications that you’ve been compromised, you should proactively search for the tactics, techniques, and procedures that a threat actor must take as they search through your network, so you can spot them early.
Metadata lets us spot that exact type of activity. It tells us who is talking to whom and when, as well as how much data is moving laterally across your network and (with integration) even layer 7 detail. With the power of machine learning and detection algorithms, an effective NDR solution can separate the normal behavior from the suspicious.
How do we know it’s suspicious? When hosts are accessing servers they’ve never accessed before. When new hosts come onto the network. When the data volume exceeds the range typically expected. Or when data is moving from critical infrastructure to a host, especially if that host doesn’t have a history of accessing that data. Basically, any behavior that’s feasible but anomalous, and aligns with steps that a threat actor would have to take to get access to business-critical data.
Of course, metadata does have its limitations. It can’t see into the payload of the packet—the details of the traffic itself. For that, you’ll need to deploy packet capture capabilities to store copies of the packet for future needs. Deploying that capability can be expensive, requiring significant investment in sensors, storage, and management overhead. That cost typically means that PCAP capabilities are concentrated at high-value resources or network egress points.
For the goal of PCAP—to capture the exact payload of the packet—that limited concentration is sufficient because we only need to capture it once to know what’s in the packet. When we need to see which specific credit card numbers, social security numbers, or financial records were stolen, PCAP effectively tells us that.
Many NDR vendors push the idea that packets are primarily what you need to sleuth out nefarious behavior on your network. And packets definitely have their value; as the old adage goes, PCAP or it didn’t happen. But because this infrastructure is deployed in a limited capacity and is geared towards forensics, it isn’t well suited for monitoring purposes.
The good news is that our goal is to identify and stop the bad guys before they find anything of value, reducing the amount of time they have on your network. And to do that, you don’t need all the details to know something bad is happening. Just like you don’t need to know if it’s a ship or land in front of you to know you need to avoid it. In fact, with network security and on-water navigation, if you wait until your information is perfect and complete, you’re likely already in harm’s way.
Plixer’s NDR platform leverages the metadata from the network and security devices already deployed throughout your network as a raw data source. By applying our security intelligence, with advanced detection algorithms and machine learning, Plixer quickly identifies signs of anomalous behavior in your network, making it easy for you to spot the bad guys before they can compromise your critical resources.
In next week’s blog, I’ll discuss how Plixer’s NDR platform supports the containment and forensics of cyberattacks.