Looking for Clues: Improved Network Anomaly and Event Detection
This article is the twelfth in our ongoing series exploring the NIST Cybersecurity Framework. Last month, we completed the Identify and Protect functions. Next up: Detect.
What, you ask, there’s no “Prevent” function? Well, no, not in name. Still, prevention certainly occurs when you Identify and Protect, as anyone can attest who has implemented strong asset management and access control policies. In addition, prevention does not necessarily require zero incidents. When faced with a network compromise, companies can prevent actual harm (the ultimate goal of any program) through quick detection and response. Similar to health screenings for invasive disease, the notion is to catch bad things early enough to make a difference.
Fortunately, the security industry has evolved new approaches to shorten detection and response times considerably. Today’s existing and emerging Endpoint Detection and Response (EDR) capabilities, combined with Security Information and Event Management (SIEM) solutions and User and Entity Behavior Analytics (UEBA), reflect significant advances in real-time protection by using cloud platforms, big data analysis for indicators of compromise and indicators of attack, and machine learning algorithms. These technologies also have made considerable progress homing in on true positives.
The NIST Framework looks to five core tenets to promote better anomaly and event detection:
• Baseline. Organizations should capture and compare data over time to discover unusual activity relating to specific users and network operations, to include an understanding of the information flow between dedicated interconnected systems (such as with vendors).
• Cast a Wide Net. It is not sufficient merely to aggregate and correlate traditional security data generated by firewalls, Intrusion Detection Systems, Anti-Virus, and the like. Identifying malicious activity also requires comparing other network-generated logs against baseline configurations (ranging from application versions, operating system logs and netflow, to physical access badge data).
• Analyze. When an actual or attempted intrusion is discovered, organizations should consider the attacker’s targets and methods, and use that information to better prepare for future incidents.
• Determine Impact. The significance of detecting an incident goes beyond whether the attacker succeeded or failed. Companies should consider the likelihood the actor will return and perhaps escalate its methods. Organizations need to raise their guard, not lower it, when they stop a targeted attack.
• Establish Alert Thresholds. There aren’t enough people or hours in the day to notify everyone of every detection and expect the most important problems to rise above the noise. Keeping actual and even potential impact in mind, organizations must resolve who needs to be told what, how they will receive those messages, and when they will receive them.
An important component of network security is the ability to determine that a compromise either is imminent or, failing that, has just occurred. In this regard, having early warning capabilities in place is the cyber equivalent of a smoke alarm. A small fire can be put out with a household extinguisher. But, once the fire begins to spread, even emergency responders may find it hard to contain.