Insight by Vectra

How network detection and response can bridge the cyber gaps

The threats agencies face from cyber attacks are constantly evolving.

The latest Federal Information Security Management Act (FISMA) report to Congress shows agencies faced more brute force and disruptive attacks in 2019 than in previous years.

These include ransomware or other approaches to destroy or degrade networks. Attackers also are forcing their way onto a network with hopes of island hopping to more value networks or systems.

As the threats are getting hard to defend against, researchers say 52 percent of all attacks are caused by external actors, including 33 percent through a social media platform and 28 percent involved malware.

Meanwhile, agencies and organization also have to worry about insider threats. Researchers found 34 percent of all breaches came from someone who worked at the company or organization.

The good news is the time from intrusion to containment is shrinking from 67 days in 2018 to 49 days in 2019, according to cyber researchers.

Brian Davis, the director for federal security solutions at Vectra, said with the amount of users and data traversing any organization’s network, trying to understand what is safe behavior and what is being done by malicious actors is getting more difficult.

“When it comes to that visibility, network platforms like network detection and response can help bridge the gap between the traditional security tools that are in place around perimeter, end-point, within the system information management (SIM), across active directory, log collection and aggregation, and really shine the light on the broader network on what’s happening not just anomalous or based on security flags, but what behavior is happening, what is typical of that environment and what common behavior is associated with the majority of the attacks out there that we can link together individually and over time to serve as a high fidelity alert that you can be confident that is something that needs to be responded to in a priority fashion by an analyst within a cue,” said Davis on the discussion Seeing Threats, Stopping Breaches sponsored by Vectra.

In many agencies, the challenge is how to identify and understand the right data because there is so much coming from the assortment of cyber tools.

“We need to focus on identifying the behavior that’s associated with the next generation of attacks that we haven’t seen before and there is never going to be a signature for that,” he said. “There’s always a commonality when an attacker is in the network, what they need to do to establish persistence, to move around and search and find the targets they’re looking to exploit or operations they are looking to disrupt. Really monitoring the network and having the tools like artificial intelligence and behavior models to identify that behavior quickly and surface it in a high fidelity alert to the analyst is really an approach that is not there today, but it is being adopted rapidly.”

Davis said these tools become even more important as agencies move applications to the cloud where the threats and the amount of data can increase quickly.

He said agencies giving cyber analysts a single platform view of all the data provided by all the tools will increase the speed to decision and, more importantly, speed to mitigation.

“It really goes back to that overall plan and assessing the tools that you have because finding that needle in that stack of needles becomes really complicated when you don’t have normalized data to work from,” Davis said. “If you are working in different data types and it’s on the job responsibility of the human to pull it together, but can it scale and when the environment changes, how quickly does it take for them to understand and adapt to the new scenario?”

Identifying Cyber Attacks

We need to focus on identifying the behavior that’s associated with the next generation of attacks that we haven’t seen before and there is never going to be a signature for that. There’s always a commonality when an attacker is in the network, what they need to do to establish persistence, to move around and search and find the targets they’re looking to exploit or operations they are looking to disrupt.

Protecting Against Threats

It really goes back to that overall plan and assessing the tools that you have because finding that needle in that stack of needles becomes really complicated when you don’t have normalized data to work from. If you are working in different data types and it’s on the job responsibility of the human to pull it together, but can it scale and when the environment changes, how quickly does it take for them to understand and adapt to the new scenario?

Listen to the full show:

Featured speakers

  • Brian Davis

    Director, Federal Security Solutions, Vectra

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts