Network detection and response in the modern era

In this Help Net Security interview, David Gugelmann, CEO at Exeon, sheds light on the current cyber threats and their challenges for network security. He discusses the role of Network Detection and Response (NDR) solutions that leverage machine learning algorithms to improve threat detection and streamline incident response.

The interview also delves into the talent gap in cybersecurity, the risks associated with IoT devices, and the necessity for companies to shift from a reactive to a proactive security strategy. Gugelmann outlines actionable advice for CISOs on balancing compliance needs with practical security measures, as well as emerging technologies that are setting new paradigms in network security in 2023.

network detection and response

Given the constant evolution of cyber threats, how do you see the current landscape, and what do you consider the most pressing challenges for network security today?

Cyber threats are becoming more advanced and range from ransomware, zero-day exploits, and APTs to insider threats. Detecting and responding to these threats fast is critical for an enterprise’s security. Effective threat detection requires comprehensive visibility into network activities and the ability to constantly monitor events in the network. Contextual information about detected threats helps security teams make informed decisions for an incident response. Network Detection and Response solutions facilitate rapid investigation, containment, and quick remediation of incidents. In addition, the underlying machine learning (ML) algorithms are critical to improving threat detection accuracy, reducing false alarms, and enabling rapid response.

Another key challenge is the lack of cybersecurity professionals with the required skills and expertise. This is where an automated NDR can mitigate, as it simplifies threat intelligence and is accessible to security teams with all levels of knowledge.

Also, the increasing proliferation of IoT devices and the BYOD trend have led to new vulnerabilities in securing network endpoints. Further, enterprises are moving toward a zero-trust model, where per default no one is trusted. However, without good visibility into network activities, it will be very cumbersome for network administrators to define strict zero-trust policies. An NDR solution that provides easy-to-use visibility features can greatly simplify the implementation of strong zero-trust policies.

Finally, compliance regulations (e.g., NIS2, GDPR, or DORA) require robust security measures to protect sensitive data and ensure regulatory compliance on a national and supranational level.

An NDR addresses these challenges with advanced threat detection that leverages ML for behavioral anomaly detection to provide monitoring and enable immediate alerts and responses. In addition, NDRs provide capabilities that help organizations meet data protection and compliance regulations.

What are the most common network vulnerabilities that organizations often overlook?

A huge problem that we are seeing in networks is shadow IT, that is, rogue or “forgotten” devices that are connected to an organization’s IT infrastructure. Shadow IT devices are often not updated, which makes it trivial for attackers to exploit a well-known weakness that a device has. Basically, attackers can just lookup which unpatched vulnerabilities are known for a certain device version, search for a proof-of-concept exploit of such a vulnerability and then use the exploit to take over the device. This allows an attacker to easily establish a foothold within an organization’s IT infrastructure.

Another major problem is the complexity of the firewall ruleset that larger organizations must maintain. There are easily ten thousand or more active firewall rules. Due to the resulting complexity, it happens frequently that firewalls are misconfigured and allow access to services that should not be reachable, for example from the outside. Again, such a single misconfiguration can provide an attacker an easy way into a network. Once a foothold is established in the network, an attacker can move laterally inside the network and run an attack that often goes on over weeks, months or even years.

To mitigate these threats, it’s important that organizations monitor their IT activities. Because, for example, the preparation steps for lateral movement and the lateral movement itself can often easily be detected in the network by an NDR solution.

How can organizations better leverage automation to secure their networks against automated threats?

Automation is eminently important to securing networks against attacks as the attackers can potentially hide among billions of communications in networks every day. Machine learning-based threat detection algorithms continuously analyze network traffic, protocols, and behaviors and identify anomalies. These detection models continuously learn from historical data to identify threats based on behavior changes. Once potential threats are detected, the system correlates the suspicious activities and generates alerts to notify security teams in case the threat is considered relevant. Since this assessment does not rely on static information like blacklists of well-known threats, but on behavior analysis, it can also detect zero-days attacks that are not yet known.

The alerts include relevant contextual information about the threat to speed up decision-making.

What advice can you give to CISOs when balancing between compliance needs and the practicality of implementing certain IT security practices?

To start with, a comprehensive understanding of the regulatory requirements and the rules that apply to the respective industry is imperative. In addition to the regulatory requirements, every CISO needs to develop a security strategy that also addresses the specific security needs of the organization. With that, measures can be defined and implemented that are effective and manageable.

Automated measures are a very important aspect of equally fulfilling compliance and practicability requirements, because only very limited personnel resources are needed to operate them. As an example, machine-learning based network detection and response helps to continuously monitor the network, identify vulnerabilities and threats, and trigger alerts to meet compliance regulations without human resource involvement.

How can organizations create a proactive strategy that focuses on strengthening the inherent vulnerabilities of their networks rather than just reacting to external threats?

We suggest various measures to proactively strengthen corporate networks. Firstly, frequent updates and patches of the systems are crucial to eliminate potential weak points. Secondly, it is very important to have a holistic overview of all network activities to make sure there is no unintended data flows. An NDR solution can help to generate this visibility. We also suggest conducting regular network audits to identify and address vulnerabilities, misconfigurations, and outdated systems that could be exploited by attackers. And lastly, the functionality of NDR systems makes them proactive in nature, as they continuously monitor network traffic aimed at preventing threats before they occur rather than reacting to them.

What emerging network security solutions and technologies are game-changers in 2023?

There are so many opportunities to strengthen network security and give organizations powerful tools to defend against evolving cyber threats. In fact, there is a lot happening also in network detection and response technology. These recent technologies provide deep insights into network traffic and identify anomalous behaviors and potential threats based on the analysis of behavior patterns. Advanced ML techniques improve NDR’s threat detection accuracy by analyzing large volumes of on-premises and cloud network data for anomalies and patterns indicative of attacks. What we also see in client interactions is that modern NDR solutions shall provide a high level of architectural flexibility, allowing a seamless integration in the existing monitoring infrastructure.

However, it is also important to mention that those are not completely new game-changers but rather ongoing evolutions that we fortunately could already anticipate in various research papers a few years ago.

Don't miss