Webinar Q&A from Modern Network Threat Detection and Response

by Anton Chuvakin on February 11, 2019

As promised, here is my lightly edited Q&A from a recent webinar called “Modern Network Threat Detection and Response.” Questions about vendors are removed, and some are edited for clarity.

Q: I thought “vendor C” has a device that could analyze even encrypted traffic. Is that correct?
A: Correct, several vendors do claim analysis of encrypted traffic data without decryption. It is real and based on many types of interesting research in data analytics and even hard science. For example, some vendors can tell an interactive session (a shell) wrapped in HTTPS from regular HTTPS web traffic.

However, it is absolutely clear that what can be achieved by a sum total of such innovative methods is dramatically less compared to what can be done on plain text data. Any salesy claims that such methods “are almost as good as analyzing plan text data” are not really true. Or, they define the word ”almost” in some proprietary way

Naturally, vendors who perform only flow-based vendors analysis are unaffected by encryption. They are no less effective on encrypted traffic, but the question whether they were effective without layer 7 visibility in the first place remains.

Q: It’s interesting to see that EDR still leads – when it’s clear that in most organizations, you cannot deploy an endpoint agent on every node. Curious whether you agree that having visibility as to ‘what’ is traversing the network from each node ‘first’, before deployment of endpoint tools, would benefit organizations so that they know what they need to cover and protect, as well as understand what other assets might not support an endpoint/agent?
A: This – deploy traffic visibility first, before endpoint – was our original position back in 2013-2014, and current data indicates that this position did not age well ?? Nearly all organizations we interacted with for this research, deployed traffic-focused tools after EDR, the endpoint focused technology. They did it with full awareness that not every asset can have an agent (OT, IoT, BYOD, mobile, obviously rogue devices, etc) and that they will have official assets without EDR coverage, for various reasons.

Sponsorships Available

Our impression is that EDR just gives them a more clear signal (this is definitely bad!) vs NTA fuzzier signal (this is perhaps a network anomaly!). NTA clients routinely reported “false positives” , “inconsequential alerts” and “anomalous but benign signals” to be in the high double digit percentages. Such numbers are far in the unthinkable territory for EDR technology. Some clients do deploy NTA tech as the only control (before or even instead of endpoint and sometimes even SIEM), perhaps due to this.

Q: What about NTA and cloud workload protection – what advice do you have for predominantly cloud datacenter deployment
A: A painful question! We found no consensus on this issue and so decided to punt it to the future ?? Joking aside, we met organizations that do not have any plans to deploy NTA-style technologies in the cloud, something even adding that “network infrastructure monitoring is an anti-cloud pattern.” Some who “fork-lifted” their data centers to the public cloud expressed some interest, but generally seemed more interested in workload and API-centric monitoring.
We are not taking any position on this subject at this time.

My gut feel, if you care to hear it, is that NTA technologies will face strong head-winds in the cloud (IaaS); of course, they don’t do any SaaS and barely can do PaaS monitoring.

Q: If our organization start to deploy more services in the cloud using PaaS and IaaS, should we deploy sensors in our provider cloud? Is there any cases where you have seen that? Maybe using Security Service from the cloud provider like Azure Security Center.
A: As I said in the above, we are not seeing strong demand (frankly, barely any demand) for network security monitoring in the cloud. Many vendors have features to enable it, but we don’t see the demand at this time. We suspect some organizations are experimenting with NTA-style technologies in Azure and Amazon, you are welcome to do so too. It seems to be a bit more popular with organizations who fork-lift their IT to the cloud without any thinking about how to do it the cloudy way.

Q: With Proxy and where to Deploy – how do you rationalize the North South debate of where to collect from when looking at egress?
A: Ah, a good one! We do see deployments inside the proxy (Secure Web Gateway, or SWG), because some people want to track outbound malicious access that is then blocked by a proxy. Now, you can say that you can use SWG logs for this? Sure, you can. This does allow you to detect the same, but also have a traffic capture inside the proxy does allow you to see more of the egress and egress attempts. We also see deployments outside of the proxy.

Q: You did say that “AI” or machine learning should be viewed with some skepticism. My question then is what weighting would you place on the quality of the “humans in the loop”? I’d suggest that good analysts are invaluable and am wondering if you’d agree? Where would you place “HR” on your spectrum of “SIEM-NFT-EDR”?
A: Eh…duh? This is sort of painfully obvious. Good analysts are critical for EDR, SIEM, NTA, and even more critical for threat hunting. Good analysts are important, but great analysts are generally much more better than good analysts. Good / great analysts come before the first detection technology you deploy, or alongside it. Not sure what to add to this, sorry.

Q: Do you see users, particularly at smaller companies, requiring inline network prevention as an option?
A: No, never seen this regarding NTA technology. However, this question does point at the elephant in the room: NTA vs Network Intrusion Detection Systems or NIDS (or NIDPS, as some people call it, adding prevention). I will leave the subject of NTA vs NIDS for later consideration, but perhaps see this.

Q: Let’s assume the layering of EDR, SIEM, etc is dependent on industry and / or risk prioritization. We are a large manufacturing company planning on EDR first as it seems less complex – faster value – on several levels than SIEM. Can you compare the learning curves of NTA and EDR?
A: Congrats, you win The Best Question Award! Sorry, no prize. This is a very good question, but also a hard one. We can only compare impressions of specific people after using specific tools. It seems that people have easier time dealing with EDR signals (alerts, scores, reports, insights, etc) and have harder time dealing with NTA signals. However, I won’t say that EDR is easy, since many want to rely on “managed EDR” and ultimately pay others to use EDR for them.

Furthermore, I’ve heard some who reported that EDR was easier for them than SIEM, despite agents. Their argument focused on clearer EDR signals and the fact that once you install the agents you are done with EDR deployment, while SIEM requires constant log source tweaks.

Q: Can you please talk more about how decryption is waning in popularity w/ regard to decryption devices? Is this no longer a viable option for orgs?
A: Look, this is weird for us too. We just see less of it. I suspect – but it is not more than my suspicion – that the tide of encryption is so massive that the “let’s decrypt” side is slowly surrendering. If you have 10X the bandwidth vs some years ago, and 10X percentage of encrypted traffic vs some other number of years ago, I see the result to be a motivation to throw in the towel and not decrypt.

Q: For Layer 7 traffic, is WAF traffic analysis more preferred, and is that an option for capturing Layer 7 where we don’t want to break encryption?
A: WAF will not look at any “your client PC -> others web resource” (and of course never looks at any non-web or, more precisely, non-HTTP/HTTPS resources) , but only at “their client PC -> your web resource.” Hence it is not relevant to this discussion. The technologies discussed have zero overlap with WAF in their use cases (but do have some similarities in the machinery as you point out, such as layer 7 decoding of HTTP), and so WAF is not an option for capturing layer 7 traffic from your systems to the outside or between your systems.

Past webinar posts: