With the increase in frequency of cyber threats, most companies are adopting a more robust security posture. This extends to multiple ways in which systems are monitored and protected. Yet still gaps remain. Threat actors are determined and continue to find and exploit vulnerabilities.  

What’s more concerning is that even after a threat is detected it can sometimes be very hard to trace. Using stolen credentials and erasing logs as part of an attack, makes discovering where access was gained more difficult. Especially when a company doesn’t have visibility of its entire system.  

No alert, no logs but held to ransom 

A recent example is a ransomware case where the threat actor was able to gain access by using an exploit for a specific type of phone system. They got in, dumped credentials and then were able to move undetected through the system to gain access to the server and lock out the retailer’s entire virtual system.  

What was interesting is that on initial investigation with EDR and firewall logs, not much showed up as a threat to be concerned about. The only tiny piece of forensic evidence discovered was that the phone system was linked to specific PC’s that provided system access. Because there wasn’t adequate segmentation, once in, the threat actor remained undetected and was able to cause some costly damage. There were no logs or alerts issued which highlighted the limited visibility the company had over their systems.  

In this case, had there been NDR embedded into the switches, it may have been possible to have visibility on the traffic going through the network including the lateral movement within the system. This would have alerted the company to unusual activity and enabled them to respond sooner to the threat.  

How much goes undetected?  

The unfortunate reality is that despite having firewalls and end point detection (EDR), generally these security technologies still only give companies 50% visibility of their systems. As highlighted in the case mentioned, if a threat actor manages to avoid alerts, there’s likely to be very little evidence of their activity as they move laterally within the system. This is a gap that Network Detection and Response (NDR) helps to fill, by being able to monitor all activity on a network.  

Historically, adding sensors that would provide this level of visibility would be very costly. However, Arista has led a new trend to make achieving greater visibility more cost effective. Their solution is to embed core components of the sensors into switches and key ports which delivers the ability to watch and run advanced analytics using AI to identify possible threats.  

These capabilities augment an organization’s security posture. And this is necessary, especially when you consider how many different devices access systems and how they can move within a campus. Smart network devices build thousands of connections accessing multiple systems. Companies use vendors that deploy their own software and devices. Even conveniences such as laundromats or exercise bikes can have vulnerabilities that can be exploited if they’re connected through smart devices to systems.  

As another example: In education organizations, students may operate on different devices which move between locations. This can make it very difficult to identify who’s a legitimate user. Arista has developed a way to track unique identities by essentially fingerprinting a device. It assigns to a device certain level of attributes and applies a level of access control based on known activity. If network activity deviates from that it can trigger an alert for further investigation. It’s really only NDR that would be able to provide this level of visibility on a system. This type of activity wouldn’t typically feature in firewall logs or EDR alerts. 

Further ways that greater visibility through NDR improves security 

Additional areas where vulnerabilities are often exploited is aging infrastructure. While companies understand the need to refresh and upgrade their infrastructure, if it’s still doing the job, it might be a lower priority. The problem is that older switches, routers or components may have outdated encryption. They may be misconfigured or have a known vulnerability that’s all too easy to exploit.  

NDR uses a combination of automated and human threat hunting that speeds up the time taken to identify and respond to vulnerabilities. The automated analysis uses AI to monitor for unique activity. If 20 devices are operating in one way but a single device is operating differently on the network, the analysis provides context to determine if further investigation is warranted. 

The network analysis can also be used as a tool when looking to upgrade system infrastructure. It does this by analysing all assets, looking at how they’re configured, what operating system they have and if there’s any known exposure of a particular version that could be exploited. Older operating systems can often be a vulnerability that threat actors try to exploit.  

The benefit of NDR is that it covers all connections in the networks, not only end points. This provides a really detailed analysis that can alert to any abnormal activity. The expanded visibility can significantly shorten the time to detection of a threat from hours or days, down to minutes.  

As methods of attack continue to evolve, it’s hard to guess what threat actors will try next to gain access to systems. Because of this having greater visibility over entire systems is key as it significantly increases an organization’s security posture and ability to respond swiftly to shut down an attack. It’s one of the cases where having a more proactive approach to monitoring can have a major impact.