XDR Cybereason and the SOC triad – NDR
In the previous article, we discussed the shortcomings of starting the SOC triad implementation with SIEM. As a reminder – SIEM is a multiplier of the value of individual security technologies – only through time-consuming integration will you be able to get real value. In this article, we will look at the advantages of Cybereason implementation compared to NDR technology – Network Detection & Response.
NDR is basically a network packet intercepting tool. They “sit and watch” network links, intercept everything that is happening, and …
A. isolate malicious movement
B. provide session reconstruction to help you understand exactly what happened on the web
However, network packet interception tools have four main problems:
1. Monitoring everywhere is exhaustive from the point of view of technical requirements. A multi-gigabit environment where you store your data for weeks would mean “incredible” hardware requirements, as well as the power and cooling associated with it. In addition, enormous amounts of data must be stored close to where they were intercepted. As a result, companies mostly monitor the “entry/exit points” to their network (whatever that means… see my next point), so they have no visibility into cross traffic, privilege escalation, lateral movement or anything inside the network.
2. Real network analysis requires enormous computing power and great deal of knowledge. Outside of the packet header, most of the raw network data is binary garbage. Extracting the truly meaningful data from a web session requires tremendous computing power. Multiply this exponentially if your data is encrypted – provided you have the keys to decrypt. More analytics = more hardware, higher costs. Additionally, once you get the meaning out, portraying it in a way that can be used by anyone other than a seasoned L3 analyst goes beyond the vast majority of tools available today.
3. Networks are not as viewable as they used to be. In the past, employees in the office accessed applications in the data center. However, today a Starbucks sales representative accessing Salesforce.com or Office365 never touches your corporate network. The huge increase in the number of employees using SaaS or cloud applications means that when you monitor your network, you only get a fraction of what you want to see. In addition, threats that want to extract data now use machines that move on and off the web to make sure they never pass the point of entry/exit.
4. Networks are “noisy” places so prioritizing is really hard. Unless you have amazing network hygiene (and few organizations do), your network is probably full of all sorts of redundant processes. It takes a great deal of knowledge of network topology to distinguish between what is really harmful to your business and what is merely annoying. Additionally, collecting all the stages of an attack can be a tedious affair as it manually correlates actions from the entire network.
So with a web tool you spend a lot of money on infrastructure and you need an army of L3 analysts to figure it out… By contrast, Cybereason allows you to implement controls at the main point of attackers’ activities – the endpoint. Key advantages of working with Cyberason compared to implementing NDR technology:
1. Visibility everywhere. Cybereason’s endpoint sensors monitor – in real time – every process, every connection, every user at every endpoint across the enterprise, whether it’s a server at the company’s headquarters or a laptop in a coffee shop that has access to SaaS applications.
2. Easy deployment – even in a BYOD environment. The Cybereason Endpoint Sensor works in the user space, eliminating the risk of a “blue screen”. This means you can deploy it anywhere – including contractor machines and BYOD devices – without worrying about Cybereason conflict with other BYOD user-installed software.
3. Zero local server footprint – unless you want to. Most of Cybereason’s customers deploy in the cloud, eliminating the need for datacenter space, power, cooling, and other provisioning costs. Other clients deploy locally, depending on their preferences. Cybereason also allows you to operate in closed networks.
4. Automatic detection of previously unknown threats. Cybereason’s Hunting Engine collects all data from endpoint sensors and uses a specially built in-memory graph to identify threats. Hunting Engine analyzes in real time and uses machine learning as well as statistical and behavioral analysis to ensure detection of all elements of an attack, especially zero-day threats.
5. Automatically presents all aspects of a malicious operation (or Malop). Cybereason automatically collects the entire attack context related to the malicious operation and visualizes the data for the analyst. Cybereason also comes preconfigured with behavioral models so you can get a value immediately after sensor insertion.
6. Automated response. Network capture tools are passive. However, with Cybereason, once you identify a threat, you can automatically disable it, prevent it from spreading elsewhere, isolate it, and perform a complete remote forensic analysis on your computer.
NDR is a fairly passive tool that requires enormous resources of computing power to operate effectively. In this context, XDR Cybereason offers a natural alternative – it focuses on the attacker’s key point of action, gives visibility to the entire operation, and triggers an automated response. The possibility of operating in closed networks is an undoubted advantage for Polish customers. Add to that the highest level of detection according to the MITRE ATT&CK study – and we have a solution to protect your organisations key assets.
