FICO Explains: Why Netography and Why Now?
Shannon Ryan, Senior Director, Cybersecurity at FICO®, joined us for a webinar last year to discuss how he and his team are using Netography Fusion® and the benefits they are experiencing. In case you missed it, you can watch it on demand or read the recap blog.
Since then, FICO has expanded its deployment of Netography Fusion. We spoke with Shannon about what drove this decision and to get an update on how they are using the platform today.
Why did you initially choose Netography?
There are lots of reasons why we initially selected Netography, but the short version is that we’re a multi-cloud environment, and we wanted to see and do more across our entire network. We had Network Detection and Response (NDR), and it couldn’t scale without a massive dollar investment, so we needed something different.
When we started looking at Netography Fusion, what immediately became apparent were the benefits of not having to operate our own infrastructure and build our own integrations, which included a lot of workarounds because the previous tool was not cloud-generation built. As a modern platform that can scale massively and operate at a speed that we didn’t know was possible, Netography raised the bar substantially and was the obvious choice.
How were you initially using the platform?
Initially, our primary focus was on helping the security operations center (SOC) with incident detection and alerting. That’s still a piece of the pie, but not even close to all the things we do nowadays. Once we dug in, we fell in love with the product. We started to realize how much more visibility we had in our environment and the other use cases that were now possible.
What drove you to expand and grow your Netography Fusion deployment?
We have three clouds – Amazon, Microsoft, and Oracle, with Google coming soon – plus a multi-private data center environment. We’re growing a lot, adding more data sources and more teams that rely on the platform as a go-to tool. We reached a point where we wanted to be able to see all the data and get even more coverage across our world, so it was time to expand our deployment.
Now we have the same level of visibility across the different clouds and in our data centers and it’s amazing. The data comes in fast, and it’s normalized. If there’s a scanning attempt or a brute force attack, I don’t have to tell the system to look at it this way in Amazon, this way in Microsoft, this way in the data center, etc., because Netography has done that. I have a consistent view and can write one detection and apply it across the board.
How has your initial use case evolved?
Detection and alerting have expanded to include security incident investigation and response, which is now one of our top use cases. One of the game changers for our incident response (IR) and SOC teams has been all the different integrations – with our SIEM, our threat feeds, our sandbox environments, and our DNS infrastructure – for data enhancement.
For example, our threat intel team has created an integration that supplements the data our teams have access to for analysis. If an endpoint detection and response (EDR) tool triggers an alert, our investigation team can use that intel to help validate if there is really something going on or if it is a false positive. They can dig deeper to look at our sandbox environments and find out if a host talked to another host and determine the extent of the traffic. We can also trigger integrated automations as an outcome of our investigations. So, if we see traffic that is unexpected, we may trigger our security orchestration, automation, and response (SOAR) tool to block that traffic.
What additional use cases are you addressing, and what capabilities are you taking advantage of?
Netography Fusion has become a “Swiss Army knife” for us, helping more teams understand communications across all our different environments very quickly to know what’s happening.
- Our threat governance team will use the platform for internal policy compliance. Traffic identification is really important, and there are a number of controls available. For instance, we can see if something is talking out to the internet when no one in that account should be. And as soon as the social media traffic identification capability became available, we took advantage of that to see if there was TikTok or other social media traffic where it absolutely shouldn’t be, like in our server infrastructure in the data center or the cloud.
- Our governance risk compliance team uses the platform to validate against Payment Card Industry Data Security Standard (PCI-DSS) controls and other regulatory controls we have in place.
- Our costing organization uses it to monitor and understand costs. If AWS transport costs spike, AWS will tell us what account it is happening on. But we also need to know why it is happening – if they are talking to another account or out to the internet. Netography Fusion gives us the why.
- Our network operations team uses it all the time to help figure out what’s causing load on the network and resolve performance issues.
- As we migrate to cloud or consolidate some of our data center footprint, our migration team is using it. Netography Fusion helps compensate for a lack of documentation of older systems, providing us a complete picture of the critical connections between servers and systems that we need to maintain.
- And as we move increasingly to a Zero Trust environment, our engineering team is using Netography Fusion to do traffic classification so they can pre-build rules.
What benefits are you realizing?
I measure benefits by the length of the smile on people’s faces and the number of positive things they say about the tool. To me, those are good measurements to have, and we’ve got high marks for both. But we also have more formal metrics.
Netography Fusion has significantly reduced our operational overhead. Before Netography, we had to think about how to stand up infrastructure in Amazon versus the data center versus other clouds because they are all slightly different. We’ve now decommissioned the old solution and we’ve even decommissioned others we weren’t planning to. I’m not standing up infrastructure. I’m pointing to an API, and it’s just done.
There’s also a huge time savings benefit with the write once, detect everywhere capability. But Netography Fusion helps us save time in multiple other ways. For example, when there are big common vulnerabilities and exposures (CVEs) that come out, we don’t have to search based on location. We can do one search across the entire environment to immediately know which systems are potentially at risk.
Productivity has also improved. In four years, the security organization has multiplied by more than six times, and a very notable percentage of them use Netography Fusion. The platform has scaled with us, and the learning curve is minimal, so new users can be off and running usually in less than 30 minutes.
Finally, a really key point is that Netography acts based on what the customer really wants instead of just trying to meet some checkboxes. The entire Netography team truly partners with us, constantly adding new features that improve our efficiency and effectiveness.