More Signal, Fewer Resources: The Value of Context-Enriched Metadata
by Martin Roesch
Security organizations have long faced challenges with deployment of security infrastructure that provides detection of attacks and attackers when performing initial configuration, tuning, and ongoing curation. It is resource-intensive to get a toolset to productivity, providing relevant alerting that is contextually meaningful in their environment. Efficiency in detection infrastructure can be expressed as its ability to consistently produce a low number of high impact security events with a low number of unusable/meaningless events. In most cases the process for realizing this efficiency is highly manual and inefficient itself.
I’ve discussed before how, as an industry, we need to get to high impact detections faster without the noise generated by traditional threat detection methods that monitor for specific attacks that in many instances cannot impact your environment at all.
In most cases, organizations are striving to move to detection approaches that leverage context wherever possible. After all, events don’t exist in a vacuum, they apply to something that has a set of contextual attributes that determine the impact of an event. The challenge faced by many users is that most of the detection mechanisms are black boxes that are opaque to users and require substantial curation to ensure you receive alerts that are germane for your environment.
Turning a list of events against IP addresses, ports, and protocols into meaningful information takes time and resources. If the detection mechanism can’t automatically incorporate and apply context to provide meaningful eventing, that context will have to be applied post-facto in the event management platform and may not be available, may be incorrect, or may even be changed by an attacker that has seized control of a networked resource.
The detection architectures that have been built over the last two decades are largely piecemeal and stovepiped to specific environments, attempting to provide the same set of capabilities across each cloud, in the on-prem IT infrastructure, and in OT environments. They use different languages to describe attacks, different eventing formats, different event context, and require different training of different teams. When compromise happens, synthesis across all of these tools and data sets into actionable information is slow, error prone, and requires high levels of coordination across organizations in order to have effective incident response.
Gaining the transparency and network observability we need to get to context-rich, high-impact alerts and save time, money, and manpower requires that we evolve from a threat-centric to a compromise-centric security strategy.
Saving CISOs resources
The Netography® Fusion platform allows you to switch to a compromise-centric vantage point today with its ability to pull together activity data and context from existing network and security infrastructure. Its detections are driven by behavior- and activity-based signals informed by the context of the environment it’s protecting. Users can codify detection of low level behaviors as well as at a level that incorporates business logic. For example, Netography can detect malware beaconing easily across your entire hybrid multi-cloud environment. It can also detect violation of trust boundaries in a network, an application of leveraging the context of business logic in an environment to detect things like dev and prod communicating or of behaviors of users that typically confine their activities to the finance suddenly interoperating with other functional areas of a network. And all of this capability is achieved without having to deploy hardware or agents despite providing full coverage for your entire hybrid multi-cloud enterprise.
Instead of being bombarded by alerts on attacks that you are not vulnerable to, now you are in a position to receive alerts in real-time on things that should never happen at scale across your IT, OT, and multi-cloud network. By definition, these alerts are indicative of an issue that matters. And since we make it easy to add organizational-specific context to enrich the metadata analyzed by the Fusion platform, you reduce the burden on your team so they can initiate response faster and reduce attacker dwell time. Here’s how we do it.
Our approach
Our customers can customize the Fusion platform – including the detections – and ingest context automatically to ensure they are receiving high-impact, high-confidence alerts. Netography is an open detection platform, we are not a black box. You can see what we’re looking for and you can write your own detections or have us do it for you.
We automatically pull into the activity metadata already in your multi-cloud or hybrid network infrastructure and enrich it with context attributes from your asset management, CMDB, EDR, NDR, XDR, and vulnerability management systems. These attributes can include things such as last user, asset owner, MAC address, asset classification, agent version, group, vulnerability count, and CVSS rating and score.
Very quickly, within the Fusion platform, you can see a complete picture of what you’ve got, what it’s doing, and how it’s changing and use that information to define the functional and operational trust boundaries in your organization using both automated and manual features in Fusion.
Based on context, Fusion looks for signs of compromise by monitoring the activity of users, applications, and devices in the environment’s East/West and North/South traffic, as well as other activities that could be problematic. Because context is dynamic, updates happen in real-time as the participants in your environment change. Detections can trigger based on violations of trust boundaries, suspicious activities, changes in behavior, thresholds you set, or even changes in composition.
For example, you can be alerted to:
- Lateral motion, an attacker moving from system to system within and across any portion of a hybrid multi-cloud enterprise
- Trust boundary violations, including between multi-cloud environments
- OT devices, which should always do the same things, suddenly changing behaviors
- Enforceable multi-cloud behavioral policies to detect configuration drift as it happens
The point is that you decide what’s important to you and tune detections accordingly.
The days of spending too much time and money to manually add context and tune default detections for your environment are gone. At Netography, context-enriched metadata is part of our DNA. It’s what makes compromise detection possible so you can reduce the workload on your team and enable them to quickly see what really matters, accelerate response, and decrease attacker dwell time.