Insight by Vectra

As cloud use grows, agencies must refocus cyber efforts on network detection, response

It’s no surprise to anyone that the recent SolarWinds breach is requiring agencies to rethink their approach to cybersecurity. In many ways, it’s forcing all organizations—public and private sector—to reconsider how they perform network detection and response.

Brian Varine, the associate director of Guidehouse Advanced Cyber Solutions, said the breach highlighted gaps in agency cyber environments both from an operational and a visibility perspective.

“A lot of agencies were scrambling around trying to figure out, ‘hey, am I affected? And if I was affected, where did these attackers go? Did they move laterally?’” Varine said on the discussion, Why network detection matters more than ever sponsored by Vectra. “A lot of people struggled to figure out what really happened. It really exposed some of the things that need fixing. And then in some cases, it’s highlighted some things that actually went well.”

Varine said agencies struggled specifically in understanding what applications and devices are connected to their network as well as who is on the network.

“We’ve seen a big push to the cloud, and the architecture of networks has changed. It used to be you had this very strong perimeter, anything that went in or out of the enterprise was going to travel through your firewall, your intrusion detection system (IDS) and some other anti-malware things. You got a pretty good idea who is coming in and what is going on,” he said. “With the advent of cloud, we’ve started putting in place express routes, direct connects into the cloud. The other thing is that everything comes in over the web right now. So there’s a lot of things that you can do, just over an HTTP or HTTPS connections. The other thing is a lot of the network traffic has gone encrypted. So the traditional IDS was always looking for pieces of malware or a specific code and finding definitely bad stuff.”

Varine said modern attackers, like those who are responsible for the SolarWinds attack, aren’t relying on these former practices of trying to inject malware or get users to click on links.

“Modern attacks are stealing credentials, so they’re impersonating somebody on your network with privileged credentials and they’re moving around. Your traditional tools that are looking for bad code, malicious software, and things like that, are not going to be effective because the attacker isn’t using malicious code. They’re basically impersonating somebody. So if you haven’t modernized your security, then you’re going to have a hard time dealing with these modern attackers,” he said. “You need the technology first to even measure it and see it. So that’s where your network sensors come in. Then, you need a smart technology that can correlate that. It sounds easy to do on paper, but if you actually had an analyst sit down and run a whole bunch of queries through their security information management (SIM), it would be very difficult to do. A lot of people want to focus on threat hunting, but a lot of teams are just blindly hunting around the network looking for odd things. With a good network detection technology, you can kind of give your hunters kind of a head start.”

Additionally with the amount of data sensors and tools bring in, Varine said advanced analytics using artificial intelligence and machine learning help defenders make faster and better decisions.

“I think some of the things that enterprises should really look at is what’s going on deep inside their network, not just at the perimeter, because you have so many paths outside of your network these days with cloud and express routes, and software-as-a-service, you need to be monitoring what’s going on inside your network very carefully,” he said. “You need to have a good approach and a technology that’s not going to be putting out 15,000 alerts every day to the analyst. You need the automation that’s going to take all that data and apply AI and ML.”

These tools become even more important as agencies move more and more systems and data to the cloud. Varine said security operations centers need to be connected directly to these service providers because of how broad the network has become over the last few years.

“You have to have a concerted monitoring effort [in the cloud]. How am I going to monitor that cloud? What you see with a lot of enterprises is a lot of cloud projects are very siloed. So it’s, ‘hey, we have a team there, they’re putting together a case management system, and that team runs that cloud environment, and they make sure it’s secure.’ But the problem is they’re looking at security as ‘Are all my switches turned on? Are all my firewall settings, correct?’ But who’s actually monitoring that cloud environment?” he said. “That’s where I think enterprises really need to take a hard look and understand, is my SOC tied into the cloud? Do I have my sensor grid in the cloud with all my projects, because if you don’t, your SOC is going to have a really big blind spot. So that’s where some of these new network detection and response (NDR) capabilities can come in.”

How Agencies are Evaluating Their Cyber Posture

Modern attacks are stealing credentials, so they're impersonating somebody on your network with privileged credentials and they're moving around. Your traditional tools that are looking for bad code, malicious software, and things like that, are not going to be effective because the attacker isn't using malicious code. They're basically impersonating somebody. So if you haven't modernized your security, then you're going to have a hard time dealing with these modern attackers.

Network Detection & Response Recommendations

You have to have a concerted monitoring effort [in the cloud]. How am I going to monitor that cloud? What you see with a lot of enterprises is a lot of cloud projects are very siloed. So it's, ‘hey, we have a team there, they're putting together a case management system, and that team runs that cloud environment, and they make sure it's secure.’ But the problem is they're looking at security as ‘Are all my switches turned on? Are all my firewall settings, correct?’ But who's actually monitoring that cloud environment? And that's where I think enterprises really need to take a hard look and understand, is my SOC tied into the cloud? Do I have my sensor grid in the cloud with all my projects, because if you don't, your SOC is going to have a really big blind spot. So that's where some of these new network detection and response (NDR) capabilities can come in.

Listen to the full show:

Featured speakers

  • Brian Varine

    Associate Director, Guidehouse Advanced Cyber Solutions

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts