Blog Post

Understanding the Limits of Legacy Network Security Monitoring Solutions

Ever since Gartner identified network traffic analysis (NTA) as one of the Top Technologies for Security in 2017, organizations have been working to fill the gaps in their existing security toolbelts with network-based solutions.

As these solutions have matured, however, it’s becoming clear that not all network traffic analysis is created equal. In fact, there are several ways in which most existing “vanilla NTA” solutions that rely primarily on meta data, NetFlow information, and intrusion detection system (IDS) alerts are fundamentally flawed. In contrast, advanced NTA solutions that deeply and natively analyze network traffic can use that additional data to immense advantage, providing accurate and actionable detection.

The Threat’s in the (Full Packet) Details

Analyzing the full stack of network traffic is by no means easy. It involves extremely large data volumes and requires high-performance systems to successfully process at line rate and as close to real-time as possible. Because of this challenge, earlier NTA solutions primarily relied on higher-level meta data, extracting only transport protocol headers or leveraging NetFlow records providing the same data. The problem is, while meta data offers some context, it has blind spots since it doesn’t examine the actual content of activity occurring on the network—content that has the ability to paint a fuller picture.

Many solutions in the network traffic analysis space try to work around this meta data challenge by relying on an underlying network security monitoring engine like Zeek (the artist formerly known as Bro) or Suricata. These underlying tools are powerful—they can extract the metadata and can be programmed to extract any desired protocol data with enough investment in programming and hardware to do the processing. That is where they stop though. They offer a great way to get access to network data, but the analysis is left to higher layers. Not surprisingly, a variety of NTA vendors have emerged that claim to perform data science-based analytics on the output of these types of tools. There are many challenges with this approach. Firstly, extensive network protocol and threat detection expertise are required to properly build the custom scripts that selectively extract the data relevant to the most pernicious threats. Secondly, the ability to do this processing in production at scale requires substantial engineering to achieve the required performance. Consequently, most vendors that rely on tools like Zeek pull relatively basic data elements provided in the default configuration of these tools and then perform unsophisticated analysis that delivers basic anomaly detection at best.

What About Non-Malware?

Another thing to remember is that network security monitoring engines (as well as IDS engines) have historically focused on malware related threats and have tailored their processing to the way these threats manifest themselves in traffic to and from the Internet. They don’t maintain state over long durations and properly attribute that state to the correct devices and users generating it. Attackers have evolved their strategies to blended, multi-stage attacks that manifest over weeks if not months and rarely have any malware at all. The question, therefore, arises whether the underlying IDS engine is the right tool for the job.

The bottom line is that processing the full packet natively and deeply means you’re getting comprehensive data. That increased signal volume is required to correctly and robustly track entities like devices and users, which in turn is necessary for the correct detection of multi-stage attacks.

You Can’t Tap Them All

Multi-stage attacks, which commonly feature hops from one compromised machine to others in the environment, present another challenge to the approach taken by network security monitoring and IDS tools. Unless you’re on the smallest of networks, using sensors to monitor all internal activity of every device and entity in the hopes of catching this lateral movement is impossible for all but those with practically limitless resources. It requires the ability to tap, span, or (with reduced efficacy, generate NetFlow data) for *all* endpoints connected to the network at their connection point, and the ability to process all that data. Doing so requires reliable and specialized networking gear and processing power that is a significant fraction of the sum of the processing capabilities of all the endpoints. This is a big reason why IDS solutions have traditionally focused on north-south traffic between the organization and the outside world.

Advanced NTA solutions solve this issue by instead monitoring “consequential artifacts.” Rather than tapping each connection within a network, they focus on the network artifacts that are produced as a side effect of communications, which the attacker usually has no control over. For instance, monitoring traffic to and from the domain controller allows you to see Kerberos tickets being issued for one device to access the other. Thus, much like a threat hunter would deduce this, observing and deeply parsing these Kerberos tickets allows communication between the devices to be inferred without directly observing the communication itself. Consequential artifacts, therefore, mean that NTA sensors only need to be deployed in a relatively limited number of locations. It does, however, require precise full-packet data extraction and processing, guided by a detailed understanding of the protocol interactions of the host.

Identifying Bad Behaviors

A common NTA analytic solution uses behavior-based analysis to baseline “normal” activity of an entity, against which future behavior is compared to look for deviations that may signal a threat. These techniques have been deployed in IDS and network monitory systems for many years without significant success due to two problems. First, IDS and network monitoring systems conflate network identifiers and entities, typically attributing behaviors to IP addresses–an identifier that changes very frequently. It is obvious that comparing a profile generated while device A used the address to the behavior of device B that was subsequently assigned the address will produce incorrect results, but this is still commonly done. Second, the variance in behavior of an entity has proven to be extremely large, changing drastically over time given today’s IT environment. When comparing the behavior of an entity with its past, these normal variances inevitably produce numerous false positives. First-generation NTA systems exhibit these same issues.

With the deeper signal available in full packet data, advanced NTA solutions are better at establishing behavioral fingerprints for the entities on the network and tracking those entities regardless of IP or Mac address. Perhaps even more importantly, they can use machine learning and analytics to name and understand the relationships between entities. With most people within an organization bringing more than one device onto a network, this visibility into how various devices tie to individuals and/or groups within the organization, irrespective of the network identifiers they transiently use, gives meaningful and stable context to observed behaviors. This then allows valid behavioral comparisons across time, and even more importantly, meaningful comparisons of behavioral changes within groups of affiliated devices to spot outliers

The Job Description is More than Just Detection

Most customers now expect a detection and response set of use cases. Having access to the full packet enables a broader set of use cases. For instance, an entity-centric historical view allows the solution to present the user with end-to-end incidents that piece together an entire multi-stage attack, correlating the activity across time, devices, users, protocols and more. This reduces alert fatigue and makes the information more actionable for the security team. They have all the necessary forensic evidence and historical records at their fingertips even if the threat is not currently apparent on the network. Finally, the solution can enable threat hunting and retrospective detection while simultaneously delivering forensic and incident response evidence needed after the fact.

As threats and threat actors grow in sophistication, it’s important to understand the limitations of meta data, NetFlow information and IDS alerts. At the end of the day, it’s the data that is monitored and the thoroughness of the analysis done on it that ultimately determines the quality of the detection and response of your systems output. While others struggle to overcome these shortcomings, there are advanced NTA solutions striving to solve these common challenges at the scale necessary. Those are the solutions that you should consider as you evaluate your security posture.

 

Keith Amidon
Keith Amidon

Co-Founder & Chief Architect