Hacking, theft and compromise often rely on stealth. Exploits can masquerade as part of legitimate-looking emails, innocuous attachments can contain malicious code, and systems may remain unpatched or still have back doors that become entry points for stealthy intrusions. These factors make distinguishing legitimate from malicious behaviour more difficult. However, the longer a threat hides in network traffic or hibernates on endpoints, the more expensive it becomes to fix, and the greater the risk of data and reputation loss. Essentially, if a threat cannot be seen, it cannot be secured.
A modern intrusion is not a one-time event – it’s a series of steps in a process that spans the threat lifecycle. Modern intrusions often employ tailored and automated activity at each step of the threat lifecycle, optimising the intrusion for the exact task it has to perform at that phase of its life. The foundation for detecting – and preventing – modern intrusions is providing visibility over all phases of the threat lifecycle. Without coordinated visibility from both networks and endpoints, security teams are, at best, overwhelmed by alert overload. At worst, they are operating half-blind. Without visibility, there is no detection, prevention, or possibility for response.
There are seven reasons why integrated network and endpoint visibility matters for modern security:
1. All endpoints need security, not just Windows machines. Attackers seek vulnerabilities and openings on any platform, not just Windows. Security professionals might be surprised at the degree to which senior executives and boards of directors are concerned about the growing endpoint security coverage gap as non-Windows machines proliferate throughout the organisation
2. Network security solutions need to go beyond looking only at packets and look at full sessions, as well as into the actual content that traverses the network in those sessions. Modern attacks often use tactics that are invisible to packet inspection. Combined packet and session inspection enables security teams to look deep into content payloads, no matter how deeply obfuscated. Some solutions rely on sandboxing to backstop packet inspection. While sandboxing is a good step, modern security against modern intrusions should not be required to wait on sandbox determination. Rather, the ability to assemble and analyse network sessions and content in memory, in real-time should be the first step in visibility, detection and prevention. Sandboxing can then be added to the visibility and determination arsenal
3. Companies need to know what’s moving across the network on all ports and protocols, not just the standard, typical or "normal" ones. Visibility means applying rules and policies in a non-selective, port-independent, protocol-agnostic way. Legacy rules that inspect network traffic all too often put on blinders and focus only on the most common ports and protocols where an intrusion might be seen. But the characteristics of that intrusion might be seen anywhere. Looking at all ports and protocols provides broader visibility
4. Security teams need to be able to validate whether network alerts have actually impacted on any endpoints. If a network alert is validated, visibility then means seeing what took place on the affected endpoint(s) and where those endpoint(s) are located. Modern intrusion prevention solutions enable security operations teams to respond quicker and more effectively by automatically validating network alerts on endpoint systems, gathering all the information about what happened – on the network and on the endpoint – and presenting it to the security analyst in a unified, cohesive way. That requires more than siloed network and endpoint security – it requires deep network and endpoint integration
5. Enterprises need the ability to “go back in time” and see what happened in the past. We all know that hindsight is 20/20, so why not apply that principle to security? The new standard in cyber security is the ability to apply new threat intelligence, rules and policies to a collection of historical session, content and endpoint metadata. This empowers both security teams and machine learning algorithms to spot threats, exploits and dangerous packages hibernating on endpoints or moving stealthily across networks
6. The ability to look inward, not just outward, is a must. Perimeter defence and hygiene are vital, but they do not provide total protection, prevention or visibility. Perimeter visibility must be tied to internal network and endpoint visibility. Network topology reconnaissance and movement from machine to machine are important opportunities for spotting and stopping intrusions that have bypassed or evaded network perimeter security. Modern intrusion prevention systems must provide visibility over internal networks and on-net and off-net endpoints as well as at network boundaries
7. Companies need more than one pair of eyes. To stop modern intrusions, visibility must go beyond learning just from what it sees and adapt to what the crowd sees. Modern intrusion prevention systems should be innately empowered to leverage the wider community and tap into the wisdom of crowds. With the discovery of new weaknesses, exploits or threats, that pattern should be shared – securely – so that everyone else can prevent it. Machine learning (ML) has big role to play here; it is uniquely suited to processing massive dynamic data sets to identify patterns, baselines and anomalies gathered from securely shared telemetry. The rise of so-called file-less malware and signature-less exploits create an immediate imperative for a broader and bolder security stance that incorporates both telemetry and intrusion sharing as well as ML
Modern solutions for today’s threats
Modern cybersecurity risks are processes, not single events. They span all phases of the threat lifecycle as they move over the network and across the endpoints, as the attacker seeks to find and then steal, kidnap or destroy valuable data. The longer threats dwell, the more expensive they become to resolve – if they are not stopped before attackers complete their mission. With deep, real-time and historical visibility across networks and endpoints, companies will be able to detect and prevent threats that are often invisible to security teams, making them more effective and efficient. It’s this that will enable organisations to fight the threats of the modern world.
Andrew Bushby, UK director at Fidelis Cybersecurity