Tackling the three biggest challenges of the new attack surface

During the COVID-19 period, we’ve seen our networks stretched beyond what they were ever designed to support, with many organizations scrambling to deliver the infrastructure necessary to make work-from-home effective. Here are three of the biggest challenges that security, networking and IT teams face today, along with some advice on how to overcome them. 

Challenge 1: Alert fatigue.

The sheer volume of alerts teams are receiving has become one of the biggest challenges. Security pros must quickly process these alerts to identify them either as real threats that need to be addressed, or false positives they can dismiss. The situation has become more complex because security teams are often forced into working remotely, without access to some of their assets and tools. 

Troubleshooting slowdowns or connectivity problems become exponentially harder with so many users connecting remotely. Is that slow application response because of the user’s home network, an overloaded VPN appliance, or some other network issue?

The Solution: Give security and network teams access to better evidence.  

Integrating network metadata and packet evidence into security and performance monitoring tools overcomes both these challenges. It gives teams access to a shared, authoritative source of truth about network activity. Analysts can pivot from alerts, or metadata queries, directly to the related packets for conclusive verification of what took place an hour, a day, a week, or even a month ago.  

Network history also makes it possible to correlate, and validate, data from other sources – such as log files, threat intelligence feeds and alerts from monitoring tools. Network data has become a bit like the “glue” that makes it easier to correlate data from other diverse sources (log files, SNMP alerts) by matching it against an accurate record of all the activity that has occurred on the network. Network history offers an authoritative timeline and the context (IP addresses, ports, application and user information) that lets security pros correlate individual, isolated events to create an accurate picture of exactly what happened.

Challenge 2: Email Phishing.

Security teams have seen a huge increase in phishing and spear-phishing attacks during the COVID-19 period. Many of these attacks are designed to take advantage of the confusion that COVID-19 has wrought to deliver malware to unsuspecting users. With so many more phishing attacks happening, what can security teams do to really focus on this threat? 

The Solution: Deploy packet data and rich metadata.

Email scanning and filtering, antimalware, antivirus and intrusion detection tools are vitally important. But they are not perfect. 

Justin Fier, director for cyber intelligence and analysis at Darktrace says that companies just can't just rely on email gateways. “An email gateway is not going to be enough to find that needle in the haystack,” Fier says. “If an email comes in and a link gets clicked, you need to know what happened five seconds afterwards at the network layer, and within a couple hours later, what happened at the cloud layer so that you can add that context to the entire digital ecosystem.”

To improve network visibility companies need a combination of full packet data and rich network metadata. Metadata gives the big picture view of network activity and offers an index that lets teams quickly locate relevant full packet data. Full packet data lets teams perform the forensic analysis necessary to accurately reconstruct exactly what took place.

Challenge 3: New attack vectors introduced by work-from-home.

Organizations have had to do what they can to support the rush to remote work. They have been forced to rely on home networks and mobile solutions. Much of that infrastructure remains entirely outside the control of the teams responsible for securing the enterprise. As a result, the potential attack surface has dramatically expanded, leaving security teams to deal with a raft of new, and often unknown, vulnerabilities. 

The Solution: Integrate network history into security and performance monitoring tools.

With company networks expanding to support users accessing from home, it’s now more important than ever before for organizations to examine connections into their networks to ensure they meet enterprise-grade security standards. When network history is integrated into their security and performance monitoring tools, analysts can go from alerts to the recorded packets in a single click, dramatically speeding the investigation of incidents and enabling definitive conclusions.

If we’ve learned anything from the pandemic, it’s that to stay on top of today’s rapidly evolving work environment, companies need to dramatically increase their visibility into all areas of the network. It’s important to have fast access to packet capture so security teams can streamline incident response and offer analysts the visibility they need to quickly respond to network attacks. At the same time, security teams need to ensure that they optimize network performance to support a growing remote workforce.

John Attala, senior director, Americas, Endace  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.