InfoSec Insider

Network Detection & Response: The Next Frontier in Fighting the Human Problem

Justin Jett, director of audit and compliance for Plixer, discusses the transformation of network-traffic analytics and what it means for cybersecurity now.

Last year, Gartner published a market guide on network detection and response (NDR). Formerly known as network-traffic analytics, which I’ve spoken about in the past at length, NDR has adapted to not only play a major role in helping network and security teams identify threats, but it has enabled these teams to respond to them too. This change in name means that network data is becoming more and more important in stopping threats and is a key component to a multi-layered security posture.

With this in mind, what does NDR mean for the future of cybersecurity as we prepare for the rest of 2021?

Cybercriminals Still Hack Humans

While technology evolves, and network and security professionals develop more sophisticated techniques to stop attacks, one thing remains true: Humans are still a big problem in the equation. Truthfully, humans are still the biggest problem (check out this article nearby on how to deal with some of these problems when you have fewer resources).

A recent post by Fortinet shows that social engineering and phishing are still major contributors to attacks. Specifically, timely attacks are often extremely effective at exposing individual’s vulnerability and enables cybercriminals to take advantage of people.

This is so much the case that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) posted a “Verify Your Valentine” notice ahead of Valentine’s Day to help reduce the number of people that fall victim to cybercriminals. And, another article posted by Nevada IT Solutions highlights how human negligence is a major contributor to cyberthreats.

Even outside of the intricate Valentine scams, as the number of people working from home has increased (and for the most part remains at an all-time high), the vulnerabilities have also increased as businesses have had to adapt standards to include remote/home networks attached to the business. All the while, cybercriminals have been continuously building their attacks as the world managed around COVID-19.

Some Big Changes to Business

Fortunately, there does seem to some light at the end of the tunnel around these kinds of attacks. As network-traffic analytics has moved to NDR — largely thanks to machine-learning improvements—businesses have been planning for major changes in cybersecurity, according to a recent article in Forbes.

Specifically, 96 percent of enterprise executives are planning to adjust their cybersecurity strategies, and 55 percent indicate an increase in cybersecurity budgets. The biggest thing is that the new strategies will rely more and more on “automated, adaptive cybersecurity.”

This is precisely what NDR is built around: Taking network traffic metadata and using machine learning and/or artificial intelligence to quickly identify threats and automate the response. This is great news because the human problem is not only the problem for how cyberattacks are allowed on a network, but the human problem can also be attributed to how cyberattacks are missed once they are on the network.

Solving for Humans: Post-Attack

As the number of false positives increases in a given cybersecurity platform, the likelihood that a person looking at those alerts will ignore or miss a real threat also increases. This is just a simple math problem, since people can only ingest so much data before being overloaded and the noise takes over.

To solve this problem, network and security teams need a system that will provide them with the fewest alerts and that provides context to help understand the nature and severity of the threat. In a recent CSO article, among other things, it’s problematic if “a metric doesn’t provide any context as to whether it’s good or bad, or leaves you and your team unsure of how to derive meaning and act on it.”

This is particularly a problem for log-aggregation systems like those provided by security information and event management (SIEM) systems, because log data provides extremely factual information, but no insight as to what it means. Usually one needs to dig much further into other systems to find an answer. This exacerbates the issue, because in the short amount of time available for IT teams in a day, digging deeply into multiple systems to find a problem can add additional blindness to the team.

Instead, network and security teams should come together to share valuable network data in a system that not only provides a low number of false positives (most vendors will say that they can do this), but that also enables actionable and contextual insight into attacks. An added bonus is enabled automated responses, but it may take some time before security and network professionals are willing to let machine-learning algorithms determine when to make network changes or quarantine devices on the network.

Until then, NDR systems will continue to provide a platform to reduce the human challenges of creating havoc on the network and not identifying the problem quickly enough once those threats appear.  2021 is shaping up to be the year of NDR, and that just might make the human problem less of a problem.

Justin Jett is the director of audit and compliance for Plixer.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.


Suggested articles