<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

Why Context is Critical for Successful Network Detection and Response

As mentioned in an earlier article, organizations seeking to identify cyber threats and mitigate their risk are looking to deploy advanced Network Detection and Response (NDR) solutions. 

When cyber security teams are searching for security threats through network threat hunting and investigating suspected incidents, the context provided by knowing what’s happening on your network is vital. In addition to explicit threats, this context can help security teams uncover policy violations, rogue network deployments or “shadow IT”. And one of the key sources of that context is network traffic analysis (NTA).

And NTA makes it possible for organizations to leverage context as part of their network threat hunting efforts.

The Value of Organizational Context

Organizational context conveys the value of data and gives threat hunters a wealth of information that can help them achieve their goals of protecting the enterprise by finding and stopping threats. With the use of context, events are much easier to understand, investigate, and address when hunting for threats.

When security teams are investigating potential threats, it is much
easier to determine the next course of action or escalation if they have the data that provides context.

Here are some examples of context to be gained from a network threat hunting perspective, via NTA:

  • Knowing where within the organizational network and IT infrastructure a threat event is occurring. For example, is it originating in the data center, or a system in the accounting department, or on a WiFi guest network?
  • Knowing what type of device is involved with a threat. It might be a user’s laptop or smartphone, or a particular server, proxy, or domain controller.
  • Knowing which individuals were actually using a particular device from which suspicious behavior was detected. Is it an authorized user such as a manager or administrator, or someone from outside the organization?
  • Knowing what user agents and SSL/TLS certificates have been observed on the network.

Having some or all of this context improves automated detection and can help threat hunters conduct much faster investigations to make decisions much more effectively. The latest network detection and response technologies depend on leveraging context as part of the overall cyber security strategy.

Look for NTA in your NDR

When selecting a platform for network detection and response, it is important to consider what sort of NTA capabilities are available that can provide the level of context needed for successful threat hunting, automated detection and incident response. 

That means having the ability to collect data from various sources, including real-time NTA, that deliver the organizational context needed into an analytics engine.

Some of the features to look for include:

  • Real-time data aggregation and correlation of IDS events, network traffic, and organizational data
  • Automated event classification through tagging workflow
  • Custom network definitions that provide enhanced detection of lateral threat proliferation
  • Enriched data that provides context and increases network visibility
  • Metadata integration with security information and event management (SIEM), security orchestration, automation, and response (SOAR), and data lakes
  • Advanced threat detection

This kind of security platform gives organizations the ability to quickly detect and respond to incidents and mitigate risk. It provides the visibility and insight they need to enhance their security posture through successful network detection and response.

In future articles, we will explore these capabilities in more technical detail.

Learn more about Scirius Security Platform here >>.

D. Mark Durrett

Mark is the chief marketing officer (CMO) at Stamus Networks, where he has responsibility for go-to-market strategy and execution. Mark started his career as an electrical engineer and worked in digital circuit design of networking and telecom hardware for over a decade. He has over 25 years of experience leading marketing, product management and engineering for technology companies. Mark has served as the senior product and marketing executive at Netsertive, Emerging Threats, Overture Networks, Bell and Howell, Covelight Systems and Hatteras Networks. Mark resides in North Carolina, USA.

Schedule a Demo of Stamus Security Platform


Related posts

In the Trenches with NDR: NDR Discovers Crypto Wallet Stealer on U.S. University's Network

Tl:DR: A Large U.S. university lacked sufficient visibility into a large segment of its environment...

The Rise of Network Infrastructure Attacks and What to Do About Them

TL;DR: In recent months, CISA, MITRE, CVE.org, and others have announced critical vulnerabilities...

In the Trenches with NDR: K-12 School District Maximizes Visibility While Avoiding Alert Fatigue

TL;DR: An American school district needed to monitor over 5000 school-owned student devices, making...