Comprehensive network visibility is key for effective threat detection and response

In the current business environment, cyber threats are common and no organization is immune to them.  These attacks continue to grow in both volume and sophistication.  The traditional network perimeter has been dissolved due to acceleration in cloud adoption and the shift to remote work.  The number of devices connecting to corporate resources has exploded due to BYOD and IoT, where maintaining comprehensive network visibility is a challenge.

It is crucial for security analysts to be able to understand the entities connecting to the network, the resources they are accessing, and other external locations they are communicating with all the time, in today’s diverse and dynamic modern environments.

ESG Research findings

According to the recent research by Enterprise Strategy Group (ESG), 83 percent of the survey respondents expect to increase spending on threat detection and response technologies, services, and personnel over the next 12-18 months. However, 31 percent of the respondents said they spend most of their time addressing high priority and emergency threats instead of focussing on strategy or process improvements, making the already understaffed security teams inefficient. 29 percent indicated they have blind spots on the network due to the inability to deploy agents. The analysts have to piece together siloed data sets across EDR, SIEM, and NDR tools which is an inefficient and ineffective process. The research also revealed that 23 percent of the respondents said it was difficult to correlate and combine data across different controls.  21 percent of the respondents said their alerts do not provide enough context or fidelity.

Network Visibility, a critical aspect

It is important for security analysts to be able to understand the entities connecting to the network, the resources they are accessing, and other external locations they are communicating with, all the time, in today’s diverse and dynamic modern environments. Endpoint protection strategies include Endpoint Detection and Response, Cloud Service Provider tools, and Network Detection and Response, among others.  For effective threat detection and response, it is critical to establish network visibility at the outset.  To ensure holistic network visibility, security analysts require breadth and depth of visibility through both flow and PCAP collection.  This can be made possible with the combination of baseline, and transactional data with the granular data of the packets themselves, which will provide a clear picture to analysts to draw more accurate conclusions.  With this process, a huge amount of metadata can be accessed by analysts where they can triage alerts and go for thorough packet-based investigations.

Deployment flexibility for scalability is another characteristic to be considered.  Network-based tools should also be able to perform extremely well.  The tools must also be able to integrate seamlessly into an existing cybersecurity stack and established processes.  The valuable raw metadata generated by NDR solutions should be capable of being exported to third-party data lakes. This metadata can be combined with other data sets to support custom threat analysis.

(The author is Mr. Vinay Sharma, Regional Director, India and SAARC, NETSCOUT and the views expressed in this article are his own)