Glossary Term

Network Security Tools

Network security tools can be either software- or hardware-based and help security teams protect their organization’s networks, critical infrastructure, and sensitive data from attacks. There are a variety of tools that can be used depending on the specific function security teams are looking to accomplish. For example, perimeter network security tools work to proactively keep known network-based threats out of the environment. These include tools such as firewalls, intrusion detection systems and network-based antivirus programs. More sophisticated tools like packet analyzers and network mappers are usually used to uncover vulnerabilities hackers look to exploit in attacks like DDoS and spear phishing campaigns.

However, many breaches over the last few years have shown that a prevention-only, perimeter-focused security approach is not enough for an organization looking to manage their risk. Attacks have evolved to be multifaceted and executed over an extended time period, creating weaknesses in traditional point in time prevention. This has now made network detection and response – tools used to detect and prevent malicious network activity caused by non-malware threats – a top priority.

Evolution of Network Security

The very definition of the “network” has evolved over time and continues to change as new technologies including cloud computing and Internet of Things (IoT) experience rapid adoption. As this occurs, it requires new and various network detection tools to protect this expanding footprint.

Intrusion Detection Systems (IDS)

Network intrusion detection systems monitor network traffic for suspicious activity. They are specifically used to detect known malware by looking at individual packets or sessions for signatures of the malware. However, this model does come with its challenges. For example, it’s nearly impossible to detect every variant of malware and IDS will at times detect the inevitable false positives. IDS systems, therefore, need to be configured on an ongoing basis in order to discern normal network traffic from actual malicious activity. The time it takes security teams to tune an IDS to fit its designated task is time that can be better spent on actual threat hunting and other tasks.

Sandboxes

Sophisticated attackers have learned to easily bypass IDS tools by making subtle changes to the underlying malware or exploiting 0-day vulnerabilities. This ushered in a new challenge for security teams – they had no way of building a signature without prior knowledge of the vulnerability. As a result, they started using sandboxes. To identify such threats, sandboxes combine static and dynamic analyses to determine if something is malicious. They do this by testing unverified programs that may contain malicious code without allowing the software to harm the network. But, as security teams improved their ability to block malware, attackers yet again changed tactics and stopped relying heavily on malware in their attacks.

Network Traffic Analysis: Behavioral Analytics

Attackers are now increasingly focused on the people in the target organization, stealing their legitimate credentials and then using the tools and technologies that are already deployed in the environment—living off the land. The security industry responded to these evolved attacks with network traffic analysis (NTA), the process of intercepting, recording and analyzing network traffic communication patterns in order to detect and respond to security threats. Using artificial intelligence and machine learning, NTA shifted the approach from identifying the “known bad” to establishing a baseline of what is “normal or good” and then detecting anomalies from that baseline as “potentially bad”.

Network Traffic Analysis for Today’s Landscape

While NTA allows security teams to hunt down and prioritize threats faster, it does run into some challenges. Legacy providers in the network traffic analysis space primarily use unsupervised learning to spot anomalies from “normal baselines”. This approach is noisy since “normal” changes often appear for very legitimate business purposes – e.g., new software deployments, etc. Also, the training required to establish the “normal” baseline takes time – often 30 to 90 days – which can be frustrating when an organization is trying to deploy the technology quickly into its environment. Moreover, the training often needs to be repeated whenever legitimate changes occur in the environment. Additionally, these systems often fall victim to weak attribution since a given device might have multiple IP addresses. If the solution alerts based on IP addresses, it will mix together behaviors from multiple devices, and fail to track and characterize the behaviors of actual devices and users that move across IPs.

Awake’s Take: Advanced Network Traffic Analysis

Threats that originate or leverage insiders often avoid malware and are living off the land. This requires an ensemble of heuristics, analytics, and AI-based detection approaches rather than just anomaly detection. This helps eliminate both false positives and negatives. Best-in-class network security tools also support a broad set of use cases from situational awareness and visibility to identify all the entities on the network to investigations and forensics and threat hunting.

Also See

Subscribe!

If you liked what you just read, subscribe to hear about our threat research and security analysis.