Uncovering hidden threats: three ways to light up the street

Mark Jow at Gigamon discusses industry’s cyber-security preparedness gap and outlines what is fundamental to driving improvement and change

 

The cyber-security industry has experienced rapid change in the past few years and is showing no sign of slowing down. As we have seen with recent breaches of TFL and the London NHS hospitals, and data from IBM’s X-Force Threat Intelligence Index for 2024 which identified that attacks in Europe have increased 31% year on year, cyber-attacks continue to rise, and a wave of new more punitive regulations such as DORA and NIS2 is on the horizon.

 

Despite this, there is still a significant cyber-security preparedness gap within the most organisations, with more than one third of those organisations unable to detect and remediate breaches with their existing strategies.

 

As threats grow evermore complex, and regulations become more stringent, the only way forward for organisations is to gain a comprehensive understanding of their hybrid IT infrastructure, shining a light into every dark corner of their ‘distributed’ network. 

 

Many organisations are still dangerously fixated on the idea that perimeter security is sufficient in fending off attackers. However, in reality, sophisticated attacks are increasingly arising from within.

 

While traditional security methods should still be employed to maintain a strength in depth approach, today’s complex landscape demands a multi-layered approach that combines traditional approaches with comprehensive network-level intelligence to guarantee real-time network visibility across the entire environment. 

 

Here are three highly effective measures organisations can proactively take to protect themselves against hidden threats.

 

1 Addressing invisible traffic

A recent survey revealed that only 40% of organisations have visibility into laterally moving (east-west) traffic. With the volume of lateral traffic now surpassing that of North-South traffic thanks to increasingly virtualised data centres, AI and hybrid cloud adoption, this is a worrying statistic.

 

Additionally, 76% of security teams still believe that encrypted traffic is safe and are less likely to inspect it. Organisations are putting all their efforts into building million-dollar  walls, all while the threat is already inside, poised to strike. 

 

The amount of data that passes through modern networks is nearly impossible to fully decrypt, let alone inspect. As a result, threat actors are exploiting the use encrypted payloads, using them like a Trojan horse, to hide their malware, mask malicious activity, or exfiltrate stolen data.

 

Organisations must look closely at security strategies that can distinguish between encrypted traffic that needs decrypting and that which doesn’t. But most importantly, they must gain visibility into the traffic moving laterally within their networks. This is often done with methods such as micro-segmentation, an approach to security that involves dividing a network into segments and applying security controls to each segment based on the segment’s requirements.

 

By gaining a deep understanding of the data that regularly travels through their systems, they will be better positioned to identify threats in action. 

 

2 Cutting out the noise

As threats become more complex, organisations seem to be constantly investing in the newest and most sophisticated tools in the hope that these will protect them.

 

But buying different tools to address different security issues, inevitably creates siloes and blind spots within their networks. With 3 in 4 CISOs reporting their security teams are overwhelmed with sprawling tool stacks, and 65% of security leaders claiming their existing tools are not effective in detecting breaches, organisations need to start re-thinking their tool strategies.

 

Although consolidating to one vendor may seem like the best solution, putting all your eggs in one basket is risky. Instead, security teams need to focus on optimisation – assessing the efficiency of their existing tools, and how they fit the organisation’s specific needs. It is crucial that all tools play into a wider security strategy and work in harmony with one another to cover all assets and data. 

 

In the same manner, the data that is being fed into these tools must be optimised to ensure the tools are able to function efficiently while maintaining adequate visibility. Historic tool investment has been centred on tools that consume Metrics, Events, Logs and Traces, and while all good sources of data , they are incomplete without the ability to augment with immutable Network telemetry from every corner of an organisations hybrid cloud infrastructure.

 

The inability to appreciate the importance of having network visibility perhaps explains why companies have investment millions on tools and yet they still see an increase in breaches – Network Telemetry is the missing component organisations have been overlooking to their detriment and as a result squandering the investments they made in purely log and event centric tools.

 

Network traffic though, can if unmanaged overwhelm many modern tools such as SIEM and NDR, and so the application of techniques such as application filtering and deduplication to cut out unnecessary network traffic and ensure an optimised flow of traffic to the tools.

 

Application filtering entails separating traffic into high and low risk by distinguishing trusted traffic signatures, ensuring only high-risk traffic is decrypted. While deduplication ensures that every new packet of data is only decrypted once before it is trusted to flow through the network.

 

Traffic volumes are only going to increase with the adoption of cloud and rise of AI, so data management strategies must be at the core of any cyber-security efforts.

 

3 Combining observability with monitoring

Complete network security goes beyond access control and visibility. Organisations must be harnessing real-time network intelligence, monitoring all network activity and scrutinising all data in transit. This is the only way to truly secure the network from the inside out. 

 

Observability focuses on the output of the system to assess its overall state, relying heavily on data from logs, traces, event files and metrics (MELT). Unfortunately, logs are ‘mutable’, meaning they can be manipulated by threat actors to mask their activity. This is where monitoring is crucial. Monitoring involves collecting and analysing all the traffic moving across the network in real-time, helping security teams identify any suspicious activity almost instantly.

 

In essence, observability helps identify what the problem is, while monitoring alerts teams to the problem in the first place. Using the two in conjunction creates a holistic overview of the network, ensuring no threat actors can slip through undetected. 

 

---

 

Mark Jow is Technical Evangelist EMEA at Gigamon

 

Main image courtesy of iStockPhoto.com and innovatedcaptures