Tag Archives: DarkTrace

Network Detection and Response

As organizations, and security teams, we purchased many security devices for providing both network and endpoint security. However, attacks continue at the same pace, even we faced bigger attacks last year, and they are getting more sophisticated. So, what is the next step for organizations?

NDR market guide was shared last year by Gartner. As the idea, NDR uses (or must use) artifical intelligence to detect malicious behaviors, both from external threat actors and insider threats.  This means, we will no longer just store the huge network traffic data via full packet capture products, but also detect the anomalies in these captured traffic. So, NDR will play a major role in helping security team to response quicker.

Unfortunately, the only obstacle to the teams last year was not the more sophisticated attacks, but also the “new normal” made security teams so hard. Now, more users are reaching to organization’s sources, getting e-mails and downloading files out of office. Control over users’ behaviors is less and less. When that happens, the need for more sophisticated technologies is also increasing.

MACHINE LEARNING

Even if we implement many security technologies to our structure, attacks are still going on. Now it is necessary to detect whether there is anyone inside as much as protecting the border. Honeypot technologies and EDRs have been used for this for years but these are not enough to decrease the dwell time. If you failed to prevent and detect an attacker inside your network, or an insider threat, it is always difficult to prevent data exfiltration, or your file from being encrypted.

Machine learning is the key here. The main idea is anomaly detection inside the network. The first step is to profile entire organization’s network and users’ and computers’ traffic. After having such a profiling, it will be easier to detect anomalies inside the network. Anomalies can be in different forms like data exfiltration to some rare destinations, uploading files to IP addresses without hostnames, login attempt from strange destinations (for cloud or vpn), and copying in large number of files from an smb share. We expect the NDR to catch all of that, of course more.

CLOUD

More otganizations are using cloud infrastructure more and more. Public, private, or hybrid, cloud infrasturctures are also a part of us. Critical files are stored and applications work there, and the responsibles are the customers for the data’s security.

Think of a scenerio like that; you have users storing files in cloud and they are working with a few of these files during their work. A user, has a permission to reach these files, downloading most of the files in a very short time, then resigns from work. Or, this user’s credentials have been compromised, and someone connected to your cloud from a country that non of your users normally connect and made anomalous behaviors. NDR must cover also cloud and detect these incidents. It is hard to implement a UEBA solution, thus, NDR can be implemented to detect insider threat.

THE NEW NORMAL

Most of the organizations were caught unprepared for Covid situation. Users had to work at home and connected to organizations’ network or cloud from home. That means, users can connect to internet less controlled. An NDR with endpoint capabilities will also cover users at home, corralate users behaviors with your network traffic and can detect threats.

Product Review: Cyber AI Analyst

Best enterprise security solution finalists announced by SCMagazine. DarkTrace’s Cyber AI Analyst is one of these solutions, and since I like its mentality, want to write something about it.

For most of the organizations, one of the biggest problems of today is to have and keep qualified analysts. Because of the attacks developing day by day, newly established and growing SOCs and growing teams, it became more difficult to have qualified analysts and/or keep them. Mostly, organizations try to educate young people as analyst but mostly they cannot keep them.

So, unfortunately, most of the organizations are living without a sufficient number of analysts. Cyber AI Analyst is a solution that focuses on this problem. SCMagazine wrote as;

Detected and contained the spread of a state-sponsored campaign across several organizations globally in March 2020, generating detailed reports of the incidents in real time — weeks before the attack was publicly attributed to APT41.

According to DarkTrace, it took 3 years to develop Cyber AI Analyst. It has been developed by observing real/human analysts’ behaviors, about investigation and triage. AI can react as expert analysts against an incident. It can analyze and prioritize incidents and reports what you need as an incident report like malicious files that caused that incident, C&C connections, domains and all infected endpoints. Normally, it takes hours to check all related logs to find these information about the incident.

Thus, even the organization has a small number of analysts, security teams can have a valuable incident report. So, these team members can focus other tasks instead of spending hours in SIEM.