Hacking, theft and compromise often rely on stealth. Exploits can masquerade as part of legitimate-looking emails. Innocuous attachments can contain malicious code. Systems may remain unpatched or still have back doors that become entry points for stealthy intrusions.
All of these factors make distinguishing legitimate from malicious behavior more difficult. Statistics on threat dwell times prove the point. The longer a threat hides in network traffic or hibernates on endpoints, the more expensive it becomes to fix, and the greater the risk of data and reputation loss. It comes down to this: If you cannot see it you cannot defeat it.
The modern intrusion is not a one-time event – it’s a series of steps in a process that spans the threat lifecycle. Modern intrusions often employ tailored and automated activity at each step of the threat lifecycle, optimizing the intrusion for the exact task it has to perform at that phase of its life. The foundation for detecting (and preventing) modern intrusions is providing visibility over all phases of the threat lifecycle.
Without coordinated, triangulated and cross-referenced visibility from both networks and endpoints, security teams are, at best, overwhelmed by alert overload. At worst, they are operating half-blind. Without visibility there is no detection, prevention, or possibility for response.
Here are 7 reasons why integrated network and endpoint visibility matters for modern security:
- Visibility means endpoint security on all your endpoints, not just your Windows machines. Attackers seek vulnerabilities and openings on any platform, not just Windows. Security professionals might be surprised at the degree to which senior executives and boards of directors are concerned about the growing endpoint security coverage gap as non-Windows machines proliferate throughout the organization
- Visibility means network security solutions that go beyond looking only at packets and look at full sessions and into the actual content that traverses the network in those sessions. Modern attacks often use tactics that are invisible to packet inspection. Combined packet and session inspection enables security teams to look deep into content payloads, no matter how deeply obfuscated. Some solutions rely on sandboxing to backstop packet inspection. While sandboxing is a good step, modern security against modern intrusions should not be required to wait on sandbox determination. Rather, the ability to assemble and analyze network sessions and content in memory, in real-time should be the first step in visibility, detection and prevention. Sandboxing can then be added to the visibility and determination arsenal.
- Visibility means seeing and understanding what’s moving across the network on all ports and protocols – not just the standard, typical or “normal” ones. Visibility means applying rules and policies in a non-selective, port-independent, protocol-agnostic way. Legacy rules that inspect network traffic all too often put on blinders and focus only on the most common ports and protocols where an intrusion might be seen. But the characteristics of that intrusion might be seen anywhere. Looking at all ports and protocols provides broader visibility.
- Visibility means validating whether network alerts have actually impacted on any endpoints. If a network alert is validated, visibility then means seeing what took place on the affected endpoint(s) and where those endpoint(s) are located. Modern intrusion prevention solutions enable security operations teams to respond quicker and more effectively by automatically validating network alerts on endpoint systems, gathering all the information about what happened – on the network AND on the endpoint – and presenting it to the security analyst in a unified, cohesive way. That requires more than siloed network and endpoint security – it requires deep network and endpoint integration.
- Visibility also means being able to “go back in time” and see what happened in the past. We all know that hindsight is 20/20, so why not apply that principle to security? The new standard in cyber security is the ability to apply new threat intelligence, rules and policies to a collection of historical session, content and endpoint metadata. This empowers both security teams and machine learning algorithms to spot threats, exploits and dangerous packages hibernating on endpoints or moving stealthily across networks.
- Visibility means being able to look inward, not just outward. Perimeter defense and hygiene are vital, but it do not provide total protection, prevention or visibility. Perimeter visibility must be tied to internal network and endpoint visibility. Network topology reconnaissance and movement from machine to machine are important opportunities for spotting and stopping intrusions that have bypassed or evaded network perimeter security. Modern intrusion prevention systems must provide visibility over internal networks and on-net and off-net endpoints as well as at network boundaries.
- Visibility means having more than one pair of eyes. To stop modern intrusions, visibility must go beyond learning just from what it sees and adapt to what the crowd sees. Modern intrusion prevention systems should be innately empowered to leverage the wider community and tap into the wisdom of crowds. If someone discovers a new weakness, exploit or threat, that pattern should be shared – securely – so that everyone else can prevent it. Machine learning (ML) has big role to play here as well. In fact, ML is uniquely suited to processing massive dynamic data sets to identify patterns, baselines and anomalies gathered from securely shared telemetry. The rise of so-called file-less malware and signature-less exploits create an immediate imperative for a broader and bolder security stance that incorporates both telemetry and intrusion sharing as well as machine learning.
Modern cybersecurity risks are processes, not single events. They span all phases of the threat lifecycle as they move over the network and across the endpoints, as attacker seek to find and then steal, kidnap or destroy valuable data. The longer threats dwell, the more expensive they become to resolve – if they are not stopped before attackers complete their mission.
See what you’ve been missing.
Fidelis technology is built on a foundation of broad and deep real-time and historical visibility across networks and endpoints. This enables our products to detect and prevent threats that are invisible to other security systems and make security operations teams more effective and more efficient.