Compromise Detection vs. Threat Detection: Why ‘Right of Boom’ Now
By Matt Wilson, VP Product Management
In 2022, the average total cost of a data breach reached a record high of $4.35 million. And it took an average of 277 days – about 9 months – to identify and contain a breach. But when organizations can shorten that time to 200 days or less, they can save on average $1.12 million. At Netography we believe that even 200 days is far too long. We can do much better, and Netography can help. It all comes down to the capabilities we have to address right of boom – the period during and after an initial breach has happened.
From threat detection
As an industry, we’ve historically focused on threat detection, looking for indications that the behaviors that are active as part of the threat, for instance around phishing attempts or port scanning, are happening. When we detect signs that someone is trying to probe our defenses in search of vulnerabilities they can actively exploit or perhaps are in the process of actively exploiting, the objective is to block them.
A lot of traditional Network Detection and Response (NDR) models look at known threat vectors and associated activities, and when they can see that in the payload, they can do something about it. This is great, and there’s definitely a use case for that. However, if NDRs were foolproof we wouldn’t really have the need for much else. The fact is they are not.
Between zero-day codes, very creative attackers, user mistakes, and DEED environments, it’s hard to guard against everything. The initial threat leading up to the compromise can be nearly imperceptible and is becoming increasingly difficult to detect, which is why it’s inevitable that every organization will get hit. We read about new cases of cyberattacks daily and those are only the ones that are big enough to get reported. So many more are never made public.
To compromise detection
At this point in the attack we’re right of boom and in the realm of compromise detection. Now, the challenge is to look for anomalous behavior that is happening after you’ve already been compromised – things like data exfiltration or lateral movement within your environment that isn’t consistent with policies you’ve set.
Once inside the network, attackers hide in the shadows and can do their work mostly undetected for months and years before they’re caught, and that’s when costs can skyrocket. The key is trying to limit the duration and damage caused. That’s what compromise detection is about and what Netography Fusion is uniquely well suited to do.
Netography uses metadata in the form of flow data to provide real-time visibility. You are able to see what’s happening in the shadows of your network – the areas that aren’t covered by your Endpoint Detection and Response (EDR), NDR, and the disparate tools from your different cloud providers. But you still need to understand what that traffic means, so we make it easy for you to enrich that metadata with context. On the operational governance side, you can use that context to define what your network should be doing and alert you when it is doing something it should not.
If all you see is an IP address doing something, that doesn’t tell you much. And it’s easy for one or two connections to fall under the radar. But in aggregation, when you have visibility into the other parts of the network that IP address is connecting to and context around the who and the what, you can drill down to understand what’s happening behind the scenes.
Suddenly you might see it’s hitting a bunch of IPs on a specific port and looking around for things. It could be legitimate. Maybe a user has moved to a different group and now has different needs. Or it may be malicious, someone poking around in a system they shouldn’t be poking around in. There are a lot of reasons why this communication could be happening, and they all need investigation.
Netography Fusion removes the need to bridge multiple tool sets to get the relevant information you need to conduct investigations. A single portal provides a unified view of all your data across your entire ecosystem, enriched with context from all kinds of tools within your environment. You have a complete picture of what’s happening so you know exactly what a host is supposed to be doing and when something is malicious, reducing the time to investigate from hours to minutes or seconds.
Netography also makes it easy to build detections around governance policies to identify anomalous behavior and alert on it so you can take action. Many of our customers choose to immediately quarantine the host and then investigate what is going on, limiting the potential for more damage in the interim.
Compromise detection is about minimizing the damage, and the best way to do that is to block the activity as soon as you can and then investigate what is happening. You can always un-quarantine a host. What’s harder when a compromise happens is to get your sensitive data back. Fortunately, when you have visibility and context to block and investigate, you can get from post-boom to recovery as quickly as possible and a lot faster than 200 days.