How is the security threat growing in the cloud, and what can you do to improve detection? Ian Tinney looks at how SIEM, EDR and NDR technologies can be used to carry out virtual storm chasing.
Networks have never been more exposed. Security threats are growing, and the rapid rollout of services to facilitate working from home during the pandemic has increased the attack surface and placed resources under significant strain. So given the sheer scale of the problem, how should you seek to improve your security monitoring and detection capabilities? What can be done?
Consulting firm McKinsey recommended companies expand web-facing threat intelligence and security information and event management (SIEM) programs to compensate for the risks associated with working from home, but the reality is that many SIEMs aren’t collecting and feeding the right data to the Security Operations Center (SOC).
The Verizon 2021 Data Breach Investigations Report (DBIR) found that breaches have increased by a third over the course of the past year, and 80% of them weren’t even detected internally, suggesting SOCs are struggling. It’s a view borne out by the Ponemon Institute, which found only 50% of organisations think their SOC is effective (an increase of 10% from the previous year) due to a lack of visibility into network traffic, information overload and alert fatigue.
Securing the network
Approaches to network security have and are continuing to evolve to try to automate detection.
Initially, the early SOCs struggled with limited visibility of endpoints and other third-party systems, as well as too much data generating too many alerts. SIEMs were then used to help filter that data, primarily by focusing on log files, and then began to apply User and Entity Behaviour Analysis (UEBA) to focus efforts, but this still left big gaps in monitoring the information estate. Cue the emergence of Endpoint Protection and Response (EDR) and Network Detection and Response (NDR) technologies to fill those gaps, with both performing distinct roles:
EDR – Uses agents that collect data from hosts and applies some behavioural analysis to attempt to capture unusual behaviour. Many (especially large) organisations already have an EDR tool.
NDR – Captures and analyses network packets coming in and out of your network (referred to as the ‘North’ and ‘South’) and between interior infrastructure (‘East’ and ‘West’). NDR combines a Network Intrusion Detection System (NIDS) and Network Traffic Analysis (NTA) technologies to detect the things that an EDR can miss or is not capable of seeing.