Read the Gartner® Competitive Landscape: Network Detection and Response Report
Read the Gartner® Competitive Landscape: Network Detection and Response Report
START HERE
WHY CORELIGHT
SOLUTIONS
CORELIGHT LABS
Close your ransomware case with Open NDR
SERVICES
ALLIANCES
USE CASES
Find hidden attackers with Open NDR
Corelight announces cloud enrichment for AWS, GCP, and Azure
Corelight's partner program
10 Considerations for Implementing an XDR Strategy
August 8, 2024 by Brian Dye
My weekly dose of Risky.biz led me to CISA’s advisory on SILENTSHIELD, which described their months-long red team exercise and resulting remediation at a federal agency. My browser backlog happened to have their APT40 advisory from just a few days earlier, which was my next read.
Since those were so … sobering … I went back and read all of CISA’s 2024 advisories to date. A broader message—intentional or otherwise—began to sink in: The game has changed and CISA is trying to shake all of us up and into action.
However, the combination of politely factual/tech-neutral wording and per-issue advisories obscures some of their bigger themes (and maybe a bit of their urgency). So let me try to connect some dots across CISA’s 2024 advisories and season them with some direct language which, anger aside, is absolutely necessary.
On the attacker side, there are three themes that all add up to one big reminder: “We have to assume a determined attacker can and will get inside the network.” What’s new is that this is not just “someone else’s” network - with the success rate of so many access vectors, we all now have to defend against what used to be very advanced attacks. Namely:
When we look across 2024’s ten advisories to date, the three biggest mitigation themes don’t look new or surprising at first glance:
However, when you read more deeply there is a lot in the “logging” area that is network-centric in threat detection (C2 or LM detection, monitoring RDP, finding living-off-the-land activity) and in verifying controls (asset discovery, network baselining, monitoring RDP, restricting port/protocol usage). The underlying message is: “Our defensive priority has to evolve—and the network matters again” because:
To be clear, I don’t speak for CISA. But at Corelight, we do work with many enterprise defenders who have fully embraced an “assume breach” mindset. As part of that strategy, those security teams have taken a fresh look at both data retention time and network monitoring, resulting in three common “ahas:”
These three ‘ahas’ are bringing security leaders to NDR. It’s the logical next step that can accelerate their SOC’s investigations and disrupt advanced attacks. NDR brings a range of advanced detection methods and metadata-based analysis (with rich context only where needed) that defines the “goldilocks” zone of depth and breadth—and delivers rocket fuel for the modern SOC.
Talk to us, or talk to our competitors, but no matter what,let’s acknowledge what CISA is telling us in 2024. The internal network (across both on-prem and cloud) is critical to defending against this next generation of attacks. And last decade’s approach just isn’t good enough.
Tagged With: network security, cybersecurity, CISA, featured