ESG Study Shows Increased Importance of NDR Tools for SOC; ThreatEye Adds New NDR Capabilities
November 2, 2022 No Commentsby Thomas Pore, Director of Products at LiveAction
As threats continue to rise and the network perimeter expands, it’s never been more important for network-based security tools to detect threats and provide comprehensive visibility. But according to a recent ESG study, threat detection and response continues to be more difficult for security teams, with nearly half struggling with the increased threat detection and response workload. Other top challenges include the increase of cloud-based resources, devices on the network, and sophistication of threats.
Because of these challenges, many security teams have difficulty detecting and stopping threats targeting the network. Specifically, the ESG study cited identifying and blocking command and control communications, and problems around detecting credential access, privilege, escalation, execution, and initial access. The use of encryption to hide these attacks continues to create serious visibility problems for SOC teams. In fact, 45% claim they have suffered multiple attacks using encryption (and it’s often used across multiple stages of an attack) and only 34% claim to have visibility into encrypted traffic.
Because of this lack of visibility, SOC teams are adopting tools such as SIEM, EDR, NDR and XDR. But ESG research shows that 46% say NDR is most effective for threat detection and response and 75% use it as the first line of defense for threat detection. Why is NDR so effective? It’s often because of the high fidelity of results and its ability to see into encrypted traffic (to eliminate encryption blindness). This dramatically reduces false positives and negatives, and offers increased visibility across the entire network, breaking down the siloes that attackers often exploit. But NDR solutions are also easy to deploy and manage, which helps overcome the resource and skills gap that continues to plague the cybersecurity space.
NDR solutions can also support a diverse set of use cases including improving response capabilities, monitoring cloud environments, detecting advanced threats, accelerating response, detecting attacks missed by other tools, enabling threat hunting, and much more. Much of this is driven by AI and machine learning which plays an increasingly important role in improving detection accuracy and speed, identifying network devices, prioritizing alerts, informing analyst workflows and more. Because of this, ESG reports that 56% of organizations are using NDR as the foundation of their XDR strategy.
To help SOC teams streamline their NDR capabilities, my team at LiveAction recently released updates to its NDR platform, ThreatEye. Already known for its advanced data collection capabilities and Deep Packet Dynamic (DPD) technology that allows teams to see into encrypted traffic without the need for payload inspection (or decryption), new features in the latest release focus on UI workflows for analysts, predictive threat intelligence capabilities, enhanced AI-driven detections and discovery, and intelligent packet capture. What does that mean?
For SOC analysts, the time it takes to investigate an incident is often too long because they don’t have the full contextual information needed to resolve an incident. By the time they identify the threat, the damage is often done. The new UI in ThreatEye was built by SOC analysts for SOC analysts. It delivers enhanced collaboration across teams by auto-enriching and correlating disparate data sources, including but not limited to geography, passive DNS, MITRE techniques, and threat intelligence. The multi-stage pipeline analysis further layers on detailed findings, risk scores, and MITRE ATT&CK labeling so SOC analysts can respond in real-time to attacks and accelerate triage with integrated packet analysis.
The product also features AI-driven detections and discovery. The pervasiveness of encryption across corporate networks is decreasing the effectiveness of MFA and other security solutions.
ThreatEye’s AI-powered behavioral fingerprinting uncovers activity within encrypted
connections by tracking multiple vectors of information. This session-based fingerprinting is coupled with host-based behavioral analysis to infer when a threat actor is active in an environment. Additionally, the ML-driven device discovery allows enterprises to identify IoT and rogue devices that may be compromised. And the platform creates a historical inventory of traits and behaviors, and uses fingerprinting, mapping, and asset profiling, a technique that works equally well with both encrypted and unencrypted traffic.
We’ve also enhanced our predictive threat intelligence so we can Identify when a user is communicating with threat actor infrastructure before campaigns are known to be active.
Threat intelligence feeds are curated by our team to provide up-to-date indicators for active threats in the wild. Included in this feed are predictive threat intelligence and campaign tracking, revealing IPs and domains associated with threat actors before they are activated. Tailored and predictive threat intelligence sets off alarms when users are connecting to threat actor infrastructure before campaigns are known and indicators of compromise are shared across the community.
Finally, ThreatEye now delivers full and continuous packet capture, which is crucial to threat investigations. However, when payloads are encrypted and cannot be decrypted, maintaining the full payloads in packet capture can stretch resources. To solve this problem, we offer Intelligent Packet Capture, which allows organizations to drop encrypted packet payloads while keeping all other header and metadata information. This results in significantly longer storage retention and reduced rack space requirements. We also offer Intelligent Retention, which allows a team to assign different retention rates to different types of applications. This is extremely important inside compliance regulated organizations that need to maintain information (such as DNS) for a certain amount of time.
NDR solutions are helping organizations improve analyst efficiency, reduce time to detection, speed remediation, and reduce operating costs. With their unique ability to see into encrypted traffic (without decryption) and correlate disparate networking data, many SOC teams rely on them as a first line of defense to stop network attacks. Find out more about selecting the right NDR solution here.
Sorry, the comment form is closed at this time.