MAY 2017

Network Detection:
What Is It Really?
Scott Millis
CTO, Cyber adAPT
A Growing Concern

Network detection has become the hottest area of

growth for cybersecurity. Both financial services and healthcare
industries alone are experiencing alarming rates of daily
attacks worldwide. From malware, breaches, phishing scams,
to savvy cybercriminals harvesting truckloads of information
and personal data cybersecurity is the number one concern
for organizations right now.

In an independent study conducted by the Ponemon Institute

entitled 2016 Cost of Cyber Crimes Study and the Risk of
Business Innovation, financial services ranked number one with
loses totaling $16.53M, and healthcare ranked sixth totaling
$7.12 million.

Verizons 2017 Data Breach Investigations Report 10th Edition

(DBIR) highlights a wide-array of startling statistics that show,
not only whos behind the breaches, what tactics they use, but
who the victims are, and the common traits employed:

Breakdown of Breaches:
- 75% are perpetrated by outsiders
- 51% involve organized criminal groups
- 62% feature hacking
- 51% include malware
- 81% of hacking-related breaches use stolen/weak passwords
- 66% of malware was installed via malicious emails
- 73% are financially motivated
- 24% affect financial organizations

Cyber adAPT, Inc. 2017

Protecting Your
Network from
Constant Threat
In response to the growing number of attacks,
cybersecurity vendors are touting their products as the
latest answer to cyberthreat and network detection.
Although these solutions come equipped with various
tools, vendors are not fundamentally upgrading their
approach to cybersecurity; as a result, their products do
little to address the growing problem.
Most approaches are incomplete. While attempting to
tackle a complex issue with multiple layers, many so
called cutting-edge solutions address one or two layers
at best, leaving the rest vulnerable to attack.
One of the most widely promoted techniques in detec-
tion today is network behavior analysis (NBA). An NBA
program can be excellent at monitoring network traffic
in search of malicious activity. Most NBA programs are
used as an enhancement to the protection provided by
the networks firewall, intrusion detection system, antivi-
rus software, and spyware detection tools.
Again, an individual technique on its own will not solve
the problem of identifying attackers inside the network
perimeter; however, changing the approach from a sin-
gular focus to a multi-dimensional view of the network
is a great place to start. A multi-dimensional approach
enables security analysts to identify threats in real-time
as well as monitor and look within each layer of the
network.
Security analysts must have a detailed understanding
of what is normal behavior within their network. Not
all security threats are coming from outside the network.
Many threats are coming from within organizations, of-
tentimes conducted by negligent employees who are
aware of security policies, but find a workaround, with
the best intentions to get work done.
An inside-out security policy helps identify when
someone is trying to disguise malicious traffic inside
the millions of good packets. A clear understanding
of known threatening domains and IP addresses helps
prepare for potential issues and provides an outside-in
perspective.
The crucial element of the inside-out and outside-in ap-
proach is advanced detection, which identifies protocol
and application specific messages out of the millions of
packets per-second where threatening behaviors can
be found.
Although no magical or technical panacea is in sight
organizations need more vigilance, security measures,
and risk policies to protect their customers and reputa-
tion. Responding to attacks is not enough to combat the
constantly changing threat landscape. Organizations
need to analyze their network behavior and pinpoint
threats they are likely to incur.
Cyber adAPT, Inc. 2017
Network Traffic Analysis
=
Advanced Detection
+
Statistical analysis
+
Threat Intel
+
Context

Cyber adAPT, Inc. 2017

The Intersection
of NTA &
Threat Analytics
Getting the Right Mix A solution based purely on NBA is very limited in scope
for detecting activity inside the network or seeing what
Many network security techniques are becoming less
enters the network from the outside. NBA does not take
popular with cybersecurity organizations due to ex-
into consideration outside variants that together weave
cessive false positives and meaningless events. Two of
a larger story to help focus on a threatening target.
these misused techniques are behavior analysis and
threat intelligence. In isolation, they produce few results,
Another misunderstood technique within network secu-
but when used together they are capable of producing
rity is threat intelligence. Threat intelligence feeds serve
a truly advanced product.
a specific purpose in building the context around a
security event - as a dynamic database, it adds and
Network traffic analysis (NTA), a term often misunder-
removes IP addresses when their status as suspect
stood, is sometimes confused with network behavior
changes. The suspicion could be caused by an attack
analysis (NBA). NBA is a subset of NTA and represents
that hijacks a domain or server temporarily, but is then
a series of events that occur on the network. Compil-
discovered, remediated, and removed.
ing the data into a baseline report will point to what is
considered normal activity. The data often provides an
External threat intelligence was once the latest thing in
internal context for a breach that relates to a specific
security, but lost its appeal as security analysts struggled
network as seen in this example:
to understand how to use it. Domains are compromised
in limited time windows in many cases and suspect
Most NBA systems will catch obvious anomalies like
threats are added and removed from threat intelligence
a user who typically works normal business hours then
feeds, making false alarms very common.
accesses the network remotely off-hours while export-
ing massive loads of data. There are flaws within this
Like NBA, threat intelligence is an excellent source of
approach: As an organization adds new employees,
context and can provide an indicator of compromise
company policies, and new office locations, what has
(IoC) from external information, but on its own, its not
been considered normal will need to evolve.
effective in identifying an attack.

With this in mind, combining external context from threat

Even having a baseline is a misnomer
intelligence and internal context from network behavior
because it can never be static
analysis ensures that alarms occur only when the threat
network behavior is always changing.
is real.

Cyber adAPT, Inc. 2017

Context & Detail:
The Holistic Solution
The most significant network security evolution
today is threat detection. Industry analysts have
identified detection as a crucial element to protecting
digital business. But what does it mean exactly?

DETECTION is currently only a network security

marketing term that is loosely defined within the context
of any vendor solution. In other words, the term is rapidly
becoming meaningless. To remedy this, we looked
at real world scenarios from Cyber adAPT clients, to
define the actual needs driving the use of detection
technology.

We Found that companies need to:

- Find attacks that make it inside the network
- Reduce false positive alarms
- Prioritize workflow
- Develop an informed response

Many vendors claim to have behavior-based detection

with deep packet inspection at line speed and predictive
analytics. Unfortunately, the systems advertised are
rarely real-time.

The challenge with delivering advanced threat detection

is the lack of products that correlate real-time protocol
and application events with internally developed
threat intelligence specific to the organization. Without
consolidating customized baselines and evidence
sources, there is no context to identify modern threats.

Cyber adAPT, Inc. 2017

Using Context
to Understand
the Big Picture
What the industry needs is a holistic solution that
integrates disparate components of network behavior
and threat intelligence to create truly advanced
detection. To accomplish this, both network behavior
and threat intelligence must be included to effectively
expose the attacker, especially when their intrusion and
malicious activity are masked to appear as good traffic.
Persistent attacks are called advanced because
attackers are aware of current alerting systems and
know exactly how to mask their behavior to appear
normal while gaining entrance undetected.
Advanced detection controls how data is correlated to
provide a bigger picture while diminishing the attackers
favorable position.
Consider the steps of a night watchman and how he
links clues to discover suspicious activity. A detection
process is very similar:
In the evening he patrols the premises, maybe
notices seemingly unrelated incidents and ties
them together; a security light gone dark is
not necessarily a cause for alarm, but it could
be if there is broken glass from the bulb. Such
clues are invaluable, especially when building
context around specific events and recognizing
malicious activity from seemingly disparate
actions.
By using context in partnership with detection, security
analysts can identify subtle commands, requests,
responses, and protocol errors buried in millions of
packets while comparing them to broader normal
network behavior.
Cyber adAPTs latest advanced detection technology
enables context-based mapping of internal network
traffic by providing an enhanced view of security
breaches both the inside-out and the outside-in of a
network environment.
Cyber adAPT, Inc. 2017
Detection
As The Core
Strengthening the Perimeter to
Avoid Intrusion
With networks becoming larger and more layers of
complexity being added, organizations are struggling
to understand what tools they need in their security
stack. Signature systems are old, sandboxing is too
narrow in scope, and pure NBA systems miss the big
picture as an attacker often poses as a benign host. To
keep pace with attackers, security teams need access
to clear and concise data sets that point straight to
what needs attention they cannot and should not be
overwhelmed by the roar of false alarms.

What organizations are realizing is a smart stack must

be built on detection, not prevention. Networks with
integrated security tools and real-time monitoring
capabilities can not only crunch data, but provide the
right information to help their IT and security teams
perform quicker remediation and forensics.

The Cyber adAPT solution removes the

guesswork from the security analysts job by:
- Monitoring the network in real-time
- Correlating live data with multiple intelligence
variants
- Building context that gets smarter over time
while eliminating false positives

FACT: Advanced threat actors assault seemingly secure

systems from all around the world, every day.

Cyber adAPT, Inc. 2017

Stay Vigilant as
Attackers Ramp Up

As organizations focus on securing their network infrastructure,

cyberattacks have shown no sign of slowing down. In fact,
they have increased.

According to a 2016 Pew Research Center Survey that

examines Americans cybersecurity habits and attitudes finds:
- 41% of Americans have encountered fraudulent
charges on their credit cards

- 35% have received notices that some type of

sensitive information (like an account number) had
been compromised

- 16% say that someone has taken over their email

accounts and 13% say someone has taken over one of
their social media accounts

- 15% have received notices that their Social Security

number had been compromised

- 14% say that someone has attempted to take out

loans or lines of credit in their name

- 6% say that someone has impersonated them to file

fraudulent tax returns

- 49% roughly half of Americans feel that their personal

information is less secure than it was five years ago

While organizations may not be able to completely

eliminate cyberattacks within their networks, they can
build a comprehensive system that offers the right
security approach and strategy to reduce attacks.

By monitoring the network in real-time,

correlating live data with multiple intelligence
variants, and building context that gets smarter
over time while eliminating false positives, this
crucial portion of the security stack is more than
just a detection tool.

Cyber adAPT, Inc. 2017

Learn More
Connect with Cyber adAPT today to learn how you
can sense and eliminate attacks throughout your entire
digital enterprise.

Cyber adAPTs multi-layered detection

platform provides:

01 Fastest attack-warning from anywhere in

the digital enterprise

02 Highest degree of confidence that the

attack is real

03 Isolates breaches automatically

before they spread

04 Applied threat intelligence finds more

attacks

05 Immediate deployment and protection

ABOUT THE AUTHOR: Scott Millis, CTO

Scott is a senior IT executive and security industry Cyber adAPT, Inc.
pioneer with an exceptional talent for aligning 337 Mirada Road
security and business objectives. Formerly the Half Moon Bay, CA 94019
Chief IT strategy officer at McAfee, (now Intel 469-284-8595
Security), he brings a deep understanding of info@cyberadapt.com
all aspects of IT across diverse sectors including www.cyberadapt.com
manufacturing, distribution, large enterprises and
professional services.

Follow us @CyberadAPT
Cyber adAPT, Inc. 2017
Cyber adAPT, Inc. 2017