The Best of All Worlds: Blending NTA, IDPS and File Analysis for Improved Network Threat Detection and Response
Have you ever heard the metaphor of the six blind men and the elephant? In the parable a young boy leads six blind men to an elephant. All of them wanted to satisfy their curiosity and observe what an elephant was like. But as each of the blind men felt different parts of the elephant, each of their experiences was different. All of the blind men ended up arguing about what they had observed.
One who touched the tusk thought it was a spear; another who grabbed the tail was convinced it was a rope; and a third who happened to touch its torso knew it was a wall. Ultimately, the young boy solved their dispute by suggesting that the men put their stories together, collaborate and share their experiences, and together appreciate an elephant in its entirety.
The lesson here? Collaboration is instrumental in getting to the truth of a matter. This couldn’t be truer for network security. When you think about it, security solutions like network traffic analysis (NTA), intrusion detection and prevention systems (IDPS), and file analysis software each play an important role in detecting and responding to network threats. To get a comprehensive picture of advanced threats, it makes sense to integrate a range of synergistic data and enable the collaboration and functionality of file analysis, IDPS, and NTA solutions as a cohesive security solution.
Let’s first begin to understand what these traditional stand-alone solutions can and can’t do separately.
Intrusion Detection and Prevention Systems
IDPS detects network threats entering organizations and targeting assets and users. These solutions are primarily based on signatures and reputation analysis to detect malicious network activity. However, there are limitations. IDPS has become the most significant contributor of false positives and they are limited to the perimeter. Also, they don’t detect enough because some threats don’t have known network signatures while some are sophisticated enough to obfuscate their traffic on every target they infect. Did I mention that IDPS is a time crunch? As a result, IDPS can’t stand up to an acceptable level of detecting and tracking threats, which explains why organizations, as reported to us by multiple industry analysts, are seriously reconsidering their investment in legacy standalone IDPS tools. (We further explore the limitations of stand-alone IDPS in our white paper.)
Not surprisingly, file analysis systems are good at identifying most malicious files and URLs based upon their threat behavior. They’re particularly effective at the perimeter when it comes to decreasing the risk of something malicious being delivered to a user. Even so, these solutions are completely blind to lateral movement within a network, as this activity sometimes results from threats that enter on personal devices compromised off-site, through unsecured partner portals, or via a phishing attack that involve no malware for the sandbox to analyze. Such east/west traffic easily evades most advanced malware detection tools, though it’s important to note that sandboxes vary widely in their effectiveness based upon their architecture. Not only that, but advanced malware is largely capable of evading most signature-based malware detection solutions today.
Network Traffic Analysis
Network traffic analysis (NTA) tools are all about detecting anomalies within the network, both on-premises and in the public cloud. NTA solutions are basically anomaly detection systems that use AI to create models of normal network activity, and then alert on outliers, also known as anomalies. Even so, on its own NTA is not fully capable of protecting organizations against malicious network behavior. Why? The problem is that not all anomalies are malicious, so these systems tend to generate a lot of false positives. Many NTA solutions have difficulty picking up on threat behaviors and then correlating these to network anomalies and vice versa. These utilities are further hampered in their inability to examine network sessions and reputation beyond the meta-data. Without this information, NTA utilities don’t have context for the anomalies they detect. This leads NTA tools to generate additional false positives that waste security analysts’ limited time with fruitless investigations.
In summary, Figure 1 highlights the shortcomings of each stand-alone tool and shows how Network Detection and Response (NDR) systems can cover all of the bases by blending all three.
Network Detection and Response
As the above highlights, IDPS, file analysis, and NTA tools all have their capabilities and limitations. Organizations therefore won’t be able to satisfy all of their security needs by investing in a single solution. That’s why they should look for solutions that emphasize collaboration by blending at least some of these tools’ functionality.
That’s where Lastline comes in. The Lastline NDR platform, Lastline Defender, derives its strong network threat detection from combining the three complementary technologies described above, all powered by AI, plus threat intelligence to detect the attacks that others miss.
- IDPS detects and prevents known threats entering the network. Additionally, Lastline applies AI to malicious behaviors and malware samples collected from customers and partners across the company’s Global Threat Intelligence Network to automatically create new IDPS signatures and push them out to all Lastline deployments at machine scale.
- Lastline Defender is the only NDR platform with a built-in market-leading file analysis capability. It detects malicious content and previously unknown malware attempting to enter the network via the web, email, or file transfers. Lastline’s patented Deep Content Inspection™ technology uses AI and full system emulation to deconstruct every behavior engineered into a file, attachment, or URL.
- NTA capabilities detect anomalous activity as it moves laterally across the network. Lastline applies both supervised and unsupervised machine learning (ML) to detect network protocol and traffic anomalies, as well as to recognize malicious network behaviors and previously unknown malware. Through its deep understanding of malicious behaviors based on our file analysis, Lastline’s NTA capability can distinguish between benign anomalies and malicious network activity. This improves threat detection while diminishing the frequency of false positives and provides high-fidelity context that speeds complete remediation.
- Lastline’s Global Threat Intelligence Network applies AI to the latest threats detected across the Lastline customer and partner base and updates the detection and analysis capabilities of all Lastline Defender deployments in real time.
Lastline Defender’s IDPS, file analysis, NTA, and threat intelligence capabilities create a synergy that’s more powerful and effective than these features would be by themselves or when provided by separate vendors. The sum is a solution that can detect threats attempting to enter a network, including zero-day attacks, as well as threats moving laterally inside a network. No single solution can do all of this. Only by combining the capabilities of the three core technologies and sharing data among them can Lastline Defender detect the widest array of attacks, across all types of networks, with minimal false positives.
Learn more about Lastline’s NDR platform that offers a blended analysis approach to threat detection.