As the composition of the enterprise network has changed over the years, an ever-expanding set of risks and exposures have come along with it. The network has become more dispersed, living on-prem and in the cloud, and the capabilities we’ve relied on historically for network defense have lost effectiveness to the point where security pros often have incomplete ideas regarding where to focus their security efforts and capabilities.
We often don’t know the security of a network until it’s too late. So if what we have relied on historically no longer works, what do we use now to identify these threats and how do we root them out?
A front-and-center example are hostile actors launching ransomware campaigns. Once they infiltrate a network, they quietly deploy their ransomware. Operating freely without risk of being discovered by leveraging tools that are commonly used in the enterprise, they go about their business and wait for the right time to activate the ransomware.
But there are also many unknowns, the bad activities happening that we don’t have any way to get our arms around. They are often policy or governance issues like bitcoin mining or employees using company resources to host a gaming server. With limited mechanisms for finding them, these types of activities often go on unnoticed for long periods of time. Data exfiltration also fits this description, in many cases taking months before being discovered because traditional tools have major gaps in coverage and scope that let hostile actors operate unnoticed in most enterprise networks.
In worse case scenarios, it’s not until the attacker surfaces that an organization becomes aware of the compromise. Recent research from IBM’s Cost of a Data Breach Report 2023 found that more than one-quarter or 27% of breaches were disclosed by the attacker as part of a ransomware attack. Attacks disclosed this way cost significantly (19.5%) more than if discovered by their own tools.
Challenges of traditional approaches
These risks and exposures as well as active threat actors that we don’t know about or that aren’t knowable given existing security architectures create real dangers for the organization.
When it comes to ransomware, anti-ransomware systems are intended to offer protection, but they have to encounter ransomware in the first place to do their job. In many cases we need an active compromise and deployment of the ransomware before the tools can spring into action to deal with the threat. And one of the very few effective mechanisms to find unknown unknowns, like bitcoin mining or data exfiltration, is to look broadly across the network for anomalous usage patterns. Surfacing this activity requires the ability to comprehend the composition and the activities of all the participants in the enterprise network – whether they are users, devices, or applications.
Traditional network security technologies that rely on appliance-based architectures and deep packet inspection (DPI) to gain network visibility are rapidly losing effectiveness because of the evolution of networks toward more dispersed footprints and the pervasive use of encryption. Most organizations don’t have the resources to deploy and manage DPI at scale to deliver visibility and control where and when they need it. Between the need for network taps and aggregators, decryption capability and broadly deployed DPI capability costs and complexity can quickly become untenable.
‘Shine a light’
We can’t secure the network or enforce compliance with policies if we don’t know what we’ve got and what it does. Getting in front of a hostile actor in an environment and warding off the unknowns requires insight into the composition and activities of users, applications, and devices in the network to spot anomalies and threats we previously had no insight into before.
So, what does that mean in practice? To get visibility into everything, we need an approach that can operate in the cloud equally as well as in the on-prem world. It needs to be deployed anywhere at any time to provide broad visibility – into North-South and East-West network traffic equally well. We also need to base it on an encryption-agnostic architecture using enriched metadata, so we can see what’s happening regardless of encryption. And it also must spot anomalous activity and change so we can get a complete picture of threats.
When we can shine a light into the dark corners of the network that were never visible before, we gain visibility to eradicate the threats that go unnoticed, and ultimately find the peace of mind we need.
Martin Roesch, chief executive officer, Netography
