Why Context is Critical for Successful Network Detection and Response

As mentioned in an earlier article, organizations seeking to identify cyber threats and mitigate their risk are looking to deploy advanced Network Detection and Response (NDR) solutions. 

When cyber security teams are searching for security threats through network threat hunting and investigating suspected incidents, the context provided by knowing what’s happening on your network is vital. In addition to explicit threats, this context can help security teams uncover policy violations, rogue network deployments or “shadow IT”. And one of the key sources of that context is network traffic analysis (NTA).

And NTA makes it possible for organizations to leverage context as part of their network threat hunting efforts.

The Value of Organizational Context

Organizational context conveys the value of data and gives threat hunters a wealth of information that can help them achieve their goals of protecting the enterprise by finding and stopping threats. With the use of context, events are much easier to understand, investigate, and address when hunting for threats.

When security teams are investigating potential threats, it is much
easier to determine the next course of action or escalation if they have the data that provides context.

Here are some examples of context to be gained from a network threat hunting perspective, via NTA:

• Knowing where within the organizational network and IT infrastructure a threat event is occurring. For example, is it originating in the data center, or a system in the accounting department, or on a WiFi guest network?
• Knowing what type of device is involved with a threat. It might be a user’s laptop or smartphone, or a particular server, proxy, or domain controller.
• Knowing which individuals were actually using a particular device from which suspicious behavior was detected. Is it an authorized user such as a manager or administrator, or someone from outside the organization?
• Knowing what user agents and SSL/TLS certificates have been observed on the network.

Having some or all of this context improves automated detection and can help threat hunters conduct much faster investigations to make decisions much more effectively. The latest network detection and response technologies depend on leveraging context as part of the overall cyber security strategy.

Look for NTA in your NDR

When selecting a platform for network detection and response, it is important to consider what sort of NTA capabilities are available that can provide the level of context needed for successful threat hunting, automated detection and incident response. 

That means having the ability to collect data from various sources, including real-time NTA, that deliver the organizational context needed into an analytics engine.

Some of the features to look for include:

• Real-time data aggregation and correlation of IDS events, network traffic, and organizational data
• Automated event classification through tagging workflow
• Custom network definitions that provide enhanced detection of lateral threat proliferation
• Enriched data that provides context and increases network visibility
• Metadata integration with security information and event management (SIEM), security orchestration, automation, and response (SOAR), and data lakes
• Advanced threat detection

This kind of security platform gives organizations the ability to quickly detect and respond to incidents and mitigate risk. It provides the visibility and insight they need to enhance their security posture through successful network detection and response.

In future articles, we will explore these capabilities in more technical detail.

Learn more about Scirius Security Platform here >>.