Blog

Optimize Network Attack Detection with Integrated Network + Endpoint Visibility

August 11th, 2015 by David Thompson

Magna Lets You See Network + Endpoint DataWhere should you look for active attackers operating inside your network? Across your network and on your endpoints – because that is where the attackers operate! Cyber attacks today are multi-stage operations conducted by human threat actors. Endpoints are compromised, user accounts are stolen, and devices (endpoints) and the network are used against you as attackers explore your environment, extend their access and control, and ultimately steal or damage your data and systems.

So, shouldn’t a solution meant to accurately and efficiently identify active attacks look for the attackers where they are — on your networks and endpoint?

One might think so. But in reality, very few solutions do.

Many attack detection solutions are endpoint only (e.g., endpoint detection and response/EDR). This ends up being a good way to identify (mostly known) malware and indicators of compromise. But, organizations that rely on such solutions end up in a never-ending game of whack-a-mole. There is always more malware to clean up. What organizations cannot obtain from the endpoint alone is the perspective and visibility needed to distinguish between malicious code (bad) and active multi-stage attacks (really, really bad). Endpoint solutions also cannot identify the significant amount of attack activity that makes no use of malware at all, such as credential theft or network reconnaissance.

So, endpoint visibility is valuable, but far from sufficient.

Other attack detection solutions (a much smaller subset) are network-only. These solutions are able to obtain a good overall perspective, and can see both malware-based and non-malware-based attack steps. The network is a great way to develop suspicion. But having only network information means that the necessary host and executable data is not available to either automatically rule suspicion in or out — i.e. to confirm the suspicion by validating the host/process source of the observed malicious network behavior. Without this ability, such solutions deliver more false positives. In addition, network-only solutions cannot automatically gather and present data about hosts to analysts. That means that potentially hours of manual work is necessary to investigate each alert before a determination can be made about what is really going on and what to do about it.

So, network visibility is valuable, but far from sufficient.

Finally, there a number of detection vendors that position themselves as analytics-based, which generally means that they sit on top of log aggregation like SIEM and do detection there. In theory, this sounds like a good idea. In practice, logs are more like hearsay. They are a story told by a server or other network infrastructure to a SIEM (that story dependent on the systems in place and the configured log levels). Those logs are often then normalized and/or transformed, then re-processed by the analytics solution. To continue the analogy, this is a re-telling of the story, something like the game of telephone. Much is lost in translation. To top it off, logs don’t typically capture all the detail necessary to see an active breach in the first place. In practice, log-based solutions are fine at analyzing information about where and how users logged into systems (servers, VPN, etc.), but not in identifying any active attacker behaviors on the network or endpoint.

Logs can be used to examine a tiny portion of the attack surface (credential usage), but lack either the broad visibility of the network or the detail of the endpoint.

So, log-based visibility can be useful, but is far from sufficient.

Clearly the best solution would be to combine all three: network, endpoint, and log data. That is exactly what LightCyber Magna does. The Magna platform continuously monitors the network for behaviors indicative of attack. It also continuously and automatically examines and profiles endpoints, so network suspicion is automatically correlated with endpoint information. This can result in the swift detection of even unknown malware, but also provides critical context around non-malware-based attack activity, so no manual investigation is required. Finally, log data (such as netflow, or VPN or cloud authentication logs) are added to the mix to augment visibility where direct network examination is less practical.

Ultimately, attack detection cannot be tied to any one domain. Attackers use many and complex methods. Attack detection has to reside where the attackers are, and principally that is on your networks and endpoints. If you want to refine your visibility into targeted attackers, why wouldn’t you choose a security solution that integrates both Network + Endpoint context to increase your odds of accurately detecting the bad guys.

To learn more about detecting active attackers already inside your network, please read my recent white paper, LightCyber Magna Technology: Core Engine for the Detection of Advanced Attackers.

Leave a Reply

Your email address will not be published. Required fields are marked *