Blog Post

6 Key Capabilities for Network Traffic Analysis Revealed in ESG Survey

See How Awake Security Aligns

Gartner recommends network data along with event logs and endpoint telemetry as the triad that enables SOC visibility, detection and response. The network component is now coming of age. Early efforts lacked fidelity since they relied on metadata, NetFlow or network log analysis—all sources that lack the full context. In addition, detection approaches relied on noisy anomaly detection (unsupervised machine learning) and/or horrendously complex and unreliable rule sets. Only recently have we seen the next generation of network detection and response (NDR) that was purpose-built from the ground up to detect and respond to the malicious intent of an attacker, rather than to detect specific forms of malware.

NDR, also known as Network Traffic Analysis (NTA) is becoming widely adopted as the viability of these new approaches begins to positively impact customers’ security postures and reduce their overall risk. A recent survey of 347 security professionals by the Enterprise Strategy Group provided insights into 6 key capabilities of an effective NTA solution.

The Awake Security Platform was designed from its inception to deliver these, and other important capabilities. Below are the top 6 responses provided by security pros when asked “what are the most important NTA capabilities for security operation center (SOC) personnel”. We also include a brief examination of how the Awake approach meets these requirements along with links for deeper dives.

  • 44% of respondents identified built-in analytics that help analysts improve and accelerate threat detection. Awake’s unique approach to analytics delivers intent analysis, which integrates ML, AI and an expert analysis system to profile every network entities behavior. Understanding and recording every entities interaction with every other entity, both internal to, and outside of the network over time enables the contextual detail required to effectively detect the tactics, techniques and procedures (TTPs) of an attacker. Detecting the underlying attackers’ intent via TTPs ensures that the results of any novel forms of malware, malware-less or rogue insider attacks can be rapidly detected and remediated. This TTP-oriented detection methodology enables the Awake platform to provide broad and deep coverage across the MITRE ATT&CK framework.
  • 44% said NTA tools must provide threat intelligence services and/or integration. Awake supports the integration and use of threat intelligence feeds and indicators of compromise (IOCs) to enhance the detection and analysis of known malicious activity. In fact, Awake’s underlying full packet capture engine enables this analysis both going forward but also retrospectively to identify past behaviors that match new IOCs—something not possible with log/endpoint security tools. It is also worth pointing out that the platform natively uses threat intelligence such as domain reputation and open-source intelligence (OSINT) such as WHOIS data via Ava, Awake’s virtual analyst. This information is used to automate triage and pre-compute analyst questions such as what other domains are part of an attacker’s command and control infrastructure. This automated task in Awake would typically require manual threat hunting and investigations with legacy tools.
  • 38% said NTA tools must have the ability to monitor internet of things (IoT) traffic, protocols, devices, etc. The Awake Platform directly monitors and captures raw network traffic to provide the visibility needed to identify, monitor and analyze all devices accessing a network, including IoT and OT devices. The Awake EntityIQ engine identifies and parses over 3000 unique protocols and provides comprehensive coverage for all devices, both internal and external that connect to a network.

  • 37% said NTA tools must have the ability to monitor all connected network nodes and issue alerts when new network nodes are connected. The reality is today most organizations are dealing with the new network with the likes of IoT, cloud workloads and SaaS in addition to the traditional core and perimeter networks. The Awake platform automatically identifies, profiles and tracks every device, user, application across this broad new network. Alerts and automated response actions such as quarantining of devices can be performed via Awake’s integrations with other parts of the infrastructure.
  • 37% said NTA tools must have documented and tested the integration with other types of security technologies. One of the primary design elements of the Awake Security Platform was the ability to integrate and add value to existing security infrastructure in the customers’ environment. Awake integrates with a wide range of security infrastructure such as SOAR, SIEM, EDR, Threat Intelligence, NAC, IPS Firewall, IAM, Workflow, Web Gateways and Cloud security systems.
  • 37% said NTA tools must offer the ability to monitor cloud traffic and report on threats and anomalies. Awake’s collection, monitoring and analysis capabilities extend to virtual private clouds (VPC) and public cloud environments via partnerships with the worlds’ top cloud providers including AWS, Azure and Google Cloud. Awakes’ continuous monitoring and analysis of cloud workloads is a critical element in reducing the overall risk experienced by today’s digital workplaces. It also helps identify threats increasingly attempting to move laterally within the VPC as well as between on-premise and cloud infrastructure.

In summary, as organizations fight to secure their assets in today’s threat environment Network Detection and Response has emerged as a key tool in the battle. The Awake Security Platform was designed from the ground up to provide the comprehensive visibility, analysis, integration and response capabilities needed to find and respond to the malicious intent and activity of any device or user accessing the network.

 

Bill Gardner
Bill Gardner

Director Technical Marketing