In the fight against nation-state based cyber attacks, your agency needs every advantage possible. Your security infrastructure includes threat reports, insider threat detection and training, and state of the art endpoint protection, so you think you’ve got a good handle on things. After all, there are enough alerts going off in your systems to keep your team busy. But are you still missing something?
What is missing from most network defense postures is clear insight into the contextual picture of what is happening on networks through visibility into traffic flow on the Internet’s backbone. “As one of the nation’s largest Internet Services Providers, Verizon sees what is happening across the Internet,” said Karl Stang, Senior Architect at Verizon. “We realized that in protecting Verizon from threats, we had a huge data source that we could put to work for the benefit of our customers as well as ourselves.”
From the analysis of NetFlow data, Verizon’s ProtectWise Network Detection Response (NDR) umbrella enables users to identify threats. Grounded in behavior-based anomaly detection, and fortified by artificial intelligence, NDR builds a baseline of “normal” activity for customers and then monitors their traffic in near real time against the baseline. Deviations from the normal baseline create an alert that is then sent to a security operations center (SOC) analyst for review. The SOC analyst performs the first review and only escalates interesting anomalous alerts to the customer reducing the workload on the customer analyst teams.
“Traditional security tools are looking backwards to find out what happened and to find out how much damage an intruder has done to critical infrastructure and information,” shared Karl. “Knowing what has happened is far less useful, though, than receiving alerts that identify what could happen in the future and enabling security teams to be proactive and help head off an attack before it happens.”
For security teams that are chronically stretched thin, the idea of adding “yet another tool” is often received with tempered enthusiasm. Between adding and tuning a new tool, plus managing yet even more alerts, a new “wonder tool” often creates more work than it solves. However, because NDR doesn’t require any on-premises equipment, Verizon SOC analysts perform first level review. Verizon also tunes the NDR system to control the number of alerts. As a result, the response from both network and security teams to NDR has been overwhelmingly positive. “By using data from the Verizon backbone, security teams get an outside-in view of their network, which is exactly the same view that attackers have and are using to plot their next incursion into your network,” shared Karl.
As federal agencies prepare for the next iteration of their digital presence – from edge computing to an expanded web presence and citizen-facing apps – their security teams will be stretched even more thinly in hunting for the next security vulnerability across a wider attack surface and in more inbound web traffic. Being able to get a truly ‘big picture’ of the network from the perspective of an attacker and juxtaposed against a solid baseline will be a true strategic advantage.
“By using advanced analytics, agencies can recast their network from being a source of attack and noisy alerts, to be an early warning system that offers all the clarity of the canary in the coal mine,” Karl concluded.