If digital transformation, or DX, is to reach its full potential, there must be a security breakthrough that goes beyond legacy defenses to address the myriad new ways threat actors can insinuate themselves into complex digital systems.
Network traffic analytics, or NTA, just may be that pivotal step forward. NTA refers to using advanced data mining and security analytics techniques to detect and investigate malicious activity in traffic moving between each device and on every critical system in a company network.
A cottage industry of tech security vendors is fully behind NTA. I recently visited with Jesse Rothstein, co-founder and Chief Technology Officer of ExtraHop, a leading NTA vendor.
It was one of the more fascinating conversations I had on the floor at Black Hat USA 2018. For a full drill down, please listen to the accompanying podcast. Meanwhile, here are key takeaways:
Data ingestion advances
Traditionally, security analytics has revolved around assessing flow data and log data – a record of the movement of data between systems and shorthand notes about activity on a system. SIEM-based detection systems and earlier network-focused security products developed along these lines.
This unfolded, in part, because capturing and storing much richer data sets really wasn’t feasible 10 years ago, Rothstein told me. Then along came advances in data ingestion and processing, or obtaining and preparing data for immediate use.
Advanced data ingestion techniques made it possible to move beyond just monitoring flow data; it made it possible to analyze literally thousands of “features” for any slice of traffic touching any computing device and apply machine learning algorithms to detect anomalies.
“We can now extract and analyze thousands of features for every single endpoint,” Rothstein says. “That’s one or two orders of magnitude more than the dozens or hundreds of features you could analyze by counting bytes and packets and looking at flow.”
Think, for a minute, about how companies today are turning software developers loose in a DevOps environment. Their mission is to collaborate and innovate at high speed, using on-premises, public cloud and hybrid cloud systems. Now try to imagine what that looks like to a threat actor. Think candy store.
“In so many of these situations you have teams of highly privileged individuals in positions where their credentials could be compromised, and where potentially malicious code can be pushed out,” Rothstein says. “And in many of these DevOps environments, especially ones that are utilizing containers and micro services, you might not have a good sense of what is supposed to be talking to what.”
A simple example of how NTA can help is the monitoring of a single endpoint. Over time, a profile of typical usage gets established for that device. Should the device begin carrying out any malicious activity, such as port scanning, the NTA product will detect that. Or, commonly these days, a compromised device might begin taking steps to spread a ransomware infection or to set up a cryptomining routine.
“We’re able to analyze all of the traffic in real time. But more than analyzing it, we’re understanding it,” Rothstein says. “We understand which resources it’s accessing and which users are accessing it. We understand which files are being accessed and which tables. This requires full stream reassembly for content analysis, and then real time transaction analysis, all at speeds of millions of transactions per second.”
Beyond tracking the behavior of an endpoint in isolation, ExtraHop has been making advances in understanding how endpoints relate to each other in peer groups. This has opened a door to understanding the complex relationships between groupings of endpoints, users and assets – and the ability to sift the bad from the good.
“We’re now able to infer what your most critical and important assets happen to be,” Rothstein says. “And we can detect control and privilege escalation attempts across devices. By really understanding these relationships, and what represents privileged access and what represents control, we’re able to do much more sophisticated analysis.”
Remember how Target got hacked? The data thieves gained elevated access to Target’s customer transactions database routing through the account of an HVAC contractor doing work for the retail giant.
In a DevOps environment there are many more opportunities for third-party accounts to get usurped or manipulated. NTA has the potential to detect even the stealthiest illicit access.
“We might see a container, or a computing instance, or a developer’s account connect to a system in a way that it never has before,” Rothstein says. “That’s something that we can we can bring immediately to your attention.”
Drinking from Niagara Falls
Crunching data and deriving accurate alerts at this scale, especially given the rising complexity of modern business networks, represents a towering challenge. “It’s hard to do because when you’re looking at a network data set, what we call wire data, you’re not just drinking from the firehose, you’re drinking from Niagara Falls,” Rothstein says. “If you fall behind, you never catch up again. So that’s why we put so much emphasis on real-time stream processing, as opposed to any sort of sampling or batch processing.”
Wider adoption of NTA, advancing in parallel with DX, holds a lot of promise to help make digital commerce as secure as it needs to be. It puts the focus on the last mile of DevOps, and therefore should remain effective even as newer, even faster forms of software development evolve.
“The network is as close to ground truth as you can get,” Rothstein says. “When you observe something on the network it’s definitive. The network doesn’t lie and you can’t hide from it.“
(Editor’s note: Last Watchdog has supplied consulting services to ExtraHop.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/my-take-can-network-traffic-analysis-cure-the-security-ills-of-digital-transformation/