Page 29 - Cyber Defense eMagazine for September 2020
P. 29

Companies can choose from several methods to address the challenge of protecting lateral traffic, but
            each of these has limitations that ultimately make them ineffective at detecting lateral movement. One
            emerging method—threat deception—uses new technology and a different approach that delivers the
            comprehensive protection organizations need to efficiently monitor east/west network traffic.

            Before exploring this new approach that centers on concealment, fakes, and misdirections, let’s take a
            look at the other options.

            Logging at the endpoint


            With this approach, organizations use technology such as security information and event management
            (SIEM) logging to aggregate
            and monitor endpoint logs to look for suspicious behavior that might indicate a security incident.


            Upside: This is a native capability in all modern operating systems, making it readily available.

            Downside: The storage and analysis of log data is a big challenge. Security teams need to pull audit logs
            from  a  large  number  of  systems  used  throughout  the  organization  and  then  bring  that  into  a  SIEM
            platform. The volume of data can be enormous, especially for large enterprises. Because of the strain,
            companies can’t rely on SIEM only. They need to leverage a big data analytics platform, which does not
            work well as an alerting system.

            Monitoring agents at every endpoint

            This involves deploying agents such as endpoint detection and response (EDR) tools that can log network
            connections.

            Upside: Many EDR products have this function, and using behavioral detection provides insights that
            include forensics and supporting information for root cause analysis and threat hunting.

            Downside: As with logging at the endpoint, storage and analytics at scale is a challenge. Companies
            need  to  install  agents  at  every  endpoint,  and  while  EDR  agents  work  well  for  real-time  detection,
            managing  the  large  and  growing  volume  of  alerts  generated  can  be  overwhelming  for  cybersecurity
            teams. The filtering process needed is labor-intensive and time-consuming. Often, manual analysis is
            required to identify issues, and there can be long delays in addressing genuine threats.

            Deploying NetFlow collection at core routers and switches


            NetFlow, a network protocol developed by Cisco to collect and monitor network traffic flow data generated
            by NetFlow-enabled routers and switches, analyzes network traffic flow and volume to determine where
            the traffic is originating, where it’s going, and how much traffic is being generated.





            Cyber Defense eMagazine – September 2020 Edition                                                                                                                                                                                                         29
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.
   24   25   26   27   28   29   30   31   32   33   34