Prior to PwC, Vito spent nine years at IBM where he was a Senior Security Engineer, member of the IBM X-Force Red virtual global team, and delivered pen test and advanced security services to customers. Vito has worked in IT for more than 20 years, starting as a freelance consultant, developer and trainer, then moving to networking, and finally to security in 2006.
As part of our ongoing series of interviews with security executives, we reached out to Vito to explore issues around enterprise security and the role of network detection and response.
1) What role does the network play in the detection and remediation of cybercrime?
VR: Network detection and response (NDR) is extremely important, and most cybersecurity teams aren’t focused on it as much as they should be. Much of the attention today is on host detection.
Our team has always emphasized network threat hunting because every attack, at the host level or elsewhere, produces noise and leaves a trace at the network level. Network visibility provides huge value. And, you can add it quickly without deploying any agents. All you have to do is put a device on the network and, in minutes you get immediate visibility into your entire infrastructure.
2) How important is network detection versus endpoint and application detection?
VR: NDR and host detection (often referred to as EDR) serve two different purposes. For visibility into modern threats, network hunting is a fast and extremely effective approach. Every modern threat generates some level of network noise. If you can pick up that noise when it happens, it gives you a lot of information early on in an attack’s progression.
Host hunting technology and agents give much more visibility into device metrics than NDR. If you know the specific endpoint or server impacted, you can quickly identify it and rapidly respond. When used together, the network solution identifies issues and the host technology allows you to dive deeper.
If you correlate both of these tools into a SOAR platform, you get two perspectives simultaneously, which is even more powerful. Visibility from two different perspectives also increases efficiencies, which reduces analyst fatigue, false positives and other common issues faced by security operations teams.
3) How has better network visibility helped you detect and respond to more threats?
VR: Network visibility allows us to gain critical insights and threat hunt in heterogeneous networks with a variety of devices, operating systems and versions of software. These are the types of environments most medium and large enterprises have today. Most host solutions only support Windows 10, or scale down in features if they monitor other operating systems or older versions of Windows.
When you have many types of hosts, devices and legacy systems, including industrial internet of things (IIoT) and operational technology (OT), you need NDR to see everything on your network. As an example, in one investigation, we found malware had infected a device running a version of embedded Windows from five or ten years ago. Nobody had seen it before, and we didn’t know how long it had been there. Using an NDR solution, we were able to quickly analyze the company’s network and identify the infection.
4) What are the pitfalls of using closed technology NDR solutions for threat hunting or incident response?
VR: Typical NDR systems, running on closed detection engines, have two layers of functionality, one provides network traffic monitoring and the other offers automation and artificial intelligence capabilities. For teams with less time or limited skill sets, the automation and AI layer of those solutions automatically triages data and prioritizes events to reduce the amount of information provided to security teams.
Since we use human resources to threat hunt, we don’t want an AI layer in our NDR solution. We want to apply AI later on in the process to all of the extracted data that resides in a data lake, not just to the network data. An open-source based NDR platform gives us more control than black box appliances, so my technical team can customize and optimize network monitoring for a customer’s specific environment. We can easily write our own detection rules, and the right exceptions, for each customer.
5) What is the main problem that incident responders and threat hunters face? What challenges and issues are there in their work environments?
VR: The main problem they face is the amount of data they have to deal with. They need a way to more efficiently filter and isolate events, and other data, and correlate them with new modern threats. Incident responders and threat hunters perform two different types of activities: standard incident response, or event triage, where they have time constraints and are reacting to the events they see, and proactive threat hunting, where there aren’t any events but they are analyzing data to look for compromised hypotheses.
The main challenge is how to more efficiently dig deeper into data and correlate information between different events or analyze specific telemetry information and correlate it to find irregularities. An NDR platform helps by improving efficiencies for both of these issues.
6) Why is it important to get immediate access to data when there’s an incident versus waiting for behavior-based models to be built?
Incident response has to happen rapidly because your network is already compromised. You can’t apply traditional forensics and do post-processing to analyze an attack. You need to immediately use all of the data you have about your network, and any readily available historical data, and compare what’s happening now versus what happened before. When you are performing incident response, there is no time to learn from AI.
AI learns what a normal network looks like over a long period of time. Then, when something anomalous happens, you can cluster it and AI helps you identify it using features and other mathematical indicators. When you’re doing incident response, you don’t want to use an AI algorithm to learn about a network that is already compromised.
7) What’s the impact of not having visibility into the network?
VR: When you don’t have network visibility, you are missing a large amount of important security and operational information. It is not only about security information and events. It is also about operational events. For example, the use of the wrong type or version of software or a violation of another of your company’s policies.
When an incident happens and you don’t have network visibility, it is very challenging to quickly contain the incident. When you have visibility, you instantly know which systems are infected and can immediately partition them into a closed network, monitor the traffic of the closed network, and determine what the infection is and how it operates.
8) Anything else you’d like to add?
VR: Network visibility is needed not only for corporate IT networks, but also for OT networks, such as industrial control system (ICS) that support enterprise manufacturing services or other IIoT or parallel networks running in other types of businesses. These other environments can also be impacted by attacks when they are reflected or spread from a connected corporate IT system that is compromised. Sometimes the only option for monitoring them is an NDR system.
Thank you, Vito, for taking the time to talk to us about these important issues!