NDR As The Cornerstone For Visibility And Threat Detection To Support The Executive Order On Cybersecurity

While in some ways the CDM program contains the building blocks for zero trust through its focus on identifying everything on the network and continually assessing its security posture, the breadth of the initiative and inconsistency of the dashboard tying the program together have resulted in limited success to date. Further, whereas zero trust requires changing security practices, policies, and strategies toward a default-deny and assume-breach posture, much of the CDM program is focused on aggregating and streamlining visibility across legacy methods to improve time to mitigation, rather than fundamentally altering the security approach.

The Einstein program goes back even further than CDM but similarly failed to detect recent attacks. This should not be surprising given the nature of the program, which was to observe traffic flowing in and out of federal networks and match against a massive database of known signatures. While the scale of Einstein goes beyond an intrusion detection and prevention system, the limitations into visibility of unknown attacks remain the same. Additionally, it remains reactive in nature.

While the order more broadly includes recommendations to facilitate information sharing between the federal government and private sector, enhancements to supply chain security, and the establishment of a cyber safety review board; three sections specify a roadmap for how agencies should begin planning to modernize their cybersecurity, detection, and remediation capabilities.

• Modernizing federal government cybersecurity. Section 3 of the executive order highlights the need for agencies to adopt secure cloud services, implement zero trust architectures, and more broadly employ multi-factor authentication (MFA) and encryption. The call for zero trust architectures is especially noteworthy. While momentum around zero trust has certainly been increasing, the call for agency heads to develop a plan and schedule to implement the initiative within 60 days represents a significant acceleration. The work done by the National Institute for Standards and Technology (NIST) through Special Publication 800-207 certainly helps and provides agencies a good framework with which to start.²

• Improving detection of cybersecurity vulnerabilities and incidents on federal government networks. Section 7 generally calls for the federal government to maximize the early detection of cybersecurity vulnerabilities and incidents by employing “all appropriate resources and authorities.” It further identifies the need for centralized visibility into the detection of vulnerabilities and threats across all agency networks to improve the overall cybersecurity of the federal government. Specifically, endpoint detection and response (EDR) is highlighted through guidance that civilian executive branch agencies deploy these solutions and the ordering of the Director of the Office of Management and Budget (OMB) and Secretary of Homeland Security to develop recommendations and requirements for government-wide EDR approaches.

• Improving the federal government’s investigative and remediation capabilities. Section 8 identifies the need to standardize and improve logging and retention requirements. In addition to setting a timeframe to assess what types of data should be maintained and for how long, the protection of the data collected is identified as a priority, as is the need for such data to be provided to the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), and the FBI when required.

NDR is Critical for Incident Detection

As mentioned, the executive order calls out EDR specifically with regard to improving the detection of cybersecurity incidents on federal networks. However, ESG research has found that the majority of organizations use network-centric detection technologies as a first line of defense (see Figure 1).³ While EDR can provide a more granular view into the processes running on the endpoint and in some cases more finely tuned response options, NDR is critical for maintaining consistent visibility across the entire network. In fact, 29% of ESG research respondents cite blind spots on the network due to the inability to deploy agents as one of their biggest threat detection and response challenges.⁴ With resources increasingly distributed across the data center, cloud, and branch offices, granular and comprehensive network visibility via NDR is critical to detect threats that have bypassed existing defenses and are attempting to move laterally, escalate privileges, and ultimately exfiltrate data.

There is no commonality across what technologies are included in XDR; rather, the focus is on beginning to bring formerly siloed capabilities together to improve detection and enable more efficient response capabilities. That said, ESG research has found that 69% of organizations indicated it is very important that endpoint and network technologies interoperate,⁵ making the combination of NDR and EDR a good starting point for XDR.

The focus on zero trust as an avenue toward federal cybersecurity modernization certainly aligns with what ESG has found in its research. In fact, 51% of ESG research respondents cite modernizing their cybersecurity program as a top business driver for implementing a zero trust strategy.⁶ However, the focus is often on segmentation, secure access, and identity. Analytics generally, and network detection and response specifically, are often overlooked components of zero trust architectures. Even the NIST Special Publication 800-207 fails to specifically call out NDR, even as it does cite the need to understand “the assets active on the network (or those accessing resources remotely) to categorize, configure, and monitor the network’s activity.” Yet for many organizations investing in zero trust, detection and response are core priorities (see Figure 2).⁷ NDR is a key component of this and provides the ability to continually evaluate the trustworthiness of a connection throughout the session by analyzing behavior and serving as a stop gap in case threats are able to bypass authentication.

• Detect stealthy and unknown threats with advanced analytics. While many of the threats an organization faces may be of standard sophistication, it is the minority of advanced, zero-day threats that keep security teams up at night. Signature-based tools remain important to block common exploits. However, advanced techniques using machine learning and behavioral modeling are necessary to detect more sophisticated attacks. In order to meet Section 7 of the executive order and maximize the early detection of incidents on federal agency networks, NDR solutions with these advanced analytical capabilities should be prioritized.

• Maintain coverage for cloud and on-premises environments. The executive order prioritizes cloud adoption generally and emphasizes zero trust architectures as a requirement of that migration moving forward. Yet, as is the case in the private sector, many agencies will continue to maintain resources both on-premises and in the public cloud. With threat actors increasingly using this location sprawl to their advantage, maintaining consistent visibility across the entire environment to correlate signals and detect malicious behavior as soon as possible is critical.

• Provide intelligence to enforcement points to support zero trust. To stitch a zero trust architecture together, the network intelligence gathered through analytics should be made actionable through integrations with enforcement points. When the NDR system identifies a malicious event that affects the risk level of an entity, that information should be shared with other parts of the security infrastructure to block user access or isolate an endpoint. Additionally, the network data collected can be used to inform segmentation policies that often form the basis of a zero trust architecture.

• Integrate with SIEM, SOAR, and XDR. To optimize investigation and response capabilities as laid out in the executive order, NDR solutions must integrate with other tools and platforms. This should include XDR, SIEM, and SOAR to give analysts a more complete view of the attack chain and allow them to quickly pivot from one part of the investigation to the next to make the remediation process more efficient and effective. Additionally, with the executive order calling for new requirements with regard to logging, log retention, and log management, NDR solutions that integrate with SIEM products to ensure process automation and data de-duplication can help reduce the complexity and cost of data management.

• Analyze encrypted traffic. The executive order calls for agencies to implement encryption for data both at rest and in transit. While this will increase the amount of SSL/TLS traffic on the network, the reality is that the vast majority of user traffic is already encrypted. In fact, the percentage of encrypted webpages users load in Chrome is now well over 90% across Windows, Mac, and Android devices.⁸ Attackers know this and use it to their advantage to obfuscate attacks, hide command and control traffic, and stealthily exfiltrate data. Decrypting and inspecting the traffic is one option to overcome this obstacle. Yet this is not always possible due to performance impacts, privacy concerns, or regulatory mandates. Solutions that can inspect the metadata of the traffic to look for signs of malicious activity, without decrypting the traffic itself can improve the security team’s visibility into traffic that cannot otherwise be terminated and inspected.

Secure Network Analytics ingests telemetry from NetFlow, Internet Protocol Information Export (IPFIX), and infrastructure devices, including routers, switches, and firewalls, to provide a complete picture of network activity. Logs across internal, perimeter, and public cloud firewalls are collected through Cisco’s Security Analytics and Logging capability to extend visibility to the network perimeter. Additionally, Secure Network Analytics can ingest telemetry data from the AnyConnect Network Visibility Module to capture endpoint-specific user and device context to extend zero trust to any device globally and support remote worker monitoring by delivering complete and continuous visibility that expands outside the corporate network. The solution continuously analyzes telemetry from these sources over time to develop a baseline of normal network behavior. It then uses this baseline along with a combination of non-signature-based advanced analytics, including behavioral modeling, machine learning algorithms, and global threat intelligence from Cisco Talos, to identify anomalous network traffic patterns and detect and respond to threats in real-time. A cloud-based, multilayered machine learning engine correlates threat behaviors seen in the enterprise with those seen globally, providing an additional layer of detection. Malicious activity hiding in encrypted traffic can be detected without having to decrypt it through Encrypted Traffic Analytics, which uses network metadata from Cisco routers and switches.

From a management perspective, customers can retain data for months or more, depending on licensing, to support extended investigation and forensics activities. In addition to a variety of integrations with SIEM and SOAR providers, Secure Network Analytics comes with the Cisco SecureX platform built-in. This simplifies and automates threat response by providing streamlined detection, investigation, and orchestration capabilities. Also, SecureX and Secure Network Analytics further support zero trust implementations through the unified visibility, intelligence sharing, and automation across multiple threat vectors and enforcement points that they offer.