There are many factors to consider when assessing which Managed Detection and Response (MDR) vendor is the right fit for your organization. One area that can offer incredible benefits is the ingestion of network device data. This blog post will cover why this is such an important part of the MDR promise and break down how Rapid7’s MDR team approaches it.
The importance of network device data ingestion
Having endpoint visibility doesn’t mean analysts shouldn’t value the information from network devices, event sources which monitor it (IDS, DPI, DHCP, DNS), or network flow. On the contrary, attackers will inevitably use the network in their attack.
Network data is lightweight, easily searchable, and can quickly identify the exact location of an attacker throughout the network to identify the scope of the breach. Leveraging this data allows analysts to take action and understand what’s going on across the network layer, while correlating events to the endpoints.
This data can be helpful for early detection of potential compromise, as well as adding context to investigations to see how attackers entered or moved around a network. Together, alongside the existing user, log, and endpoint data, the MDR team can leverage network traffic analysis to help analysts:
- Ensure continuous visibility everywhere.
- Recognize compromise quickly using combined IDS and network metadata analysis.
- Trace the steps of potential attackers across systems and applications.
Said another way, Network Traffic Analysis shines a light on the dark corners of the network. It provides increased visibility and an additional axis for early threat detection, as well as rich device and activity information to accelerate investigations.
The key is to couple both North-South Network traffic inspection with Network Flow (East-West) traffic to get the full picture of what’s happening.
Typically North-South traffic inspection is easy, and tools have been around forever so any security operations team can add network visibility to their technology stack and correlate this activity with endpoint data.
East-West traffic, on the other hand, is tougher because of a lack of visibility. This traffic doesn't traditionally hit a firewall and the data you get out of switches can vary wildly due to performance concerns of capturing and exporting netflow data at that level. Don't even get us started on monitoring East-West traffic in virtual environments.
Typical things that are monitored for in East-West traffic flows would be recon/network mapping using a tool like Nmap, scanning for vulnerabilities or open ports and transferring exploits or moving files around with netcat, etc. Other cases for monitoring East-West traffic is insecure protocol usage (TLS anything below 1.2, SMB v1 or v2, etc.) and shadow IT.
How Rapid7 MDR can help
Rapid7’s MDR SOC leverages Network Traffic data such as IDS, DNS, DHCP, and DPI to detect malicious threats early and follow attacker movement across the network. Analyzing network traffic enables our team to monitor all activities ranging from those at the perimeter to connections between endpoints and servers.
The Rapid7 MDR team has carefully filtered IDS events to capture only the most critical and actionable detections. This means when malware, botnets, or other compromises are detected, teams won’t have to go through tedious cycles to determine their validity. Analysts can take action confidently on reliable, vetted alerts.
Rapid7’s proprietary DPI engine captures and analyzes traffic in readable, interpretable details, without the complexity and overhead of full packet capture. This passive analysis also means no performance impact to the network. With this rich flow data, teams have deep detail with which to track attacker entry and movement across the network. This can help accelerate investigations and inform response action.
This data can also be used to correlate network activity against processes and actions on the endpoint. Our Insight Sensor and Insight Agents send network-level activity on the host to the Insight Cloud—then, we analyze process-level and network connections, correlate these with firewall events to see whether it was accepted or blocked, and assign a severity to the event. This gives our analysts more data points and evidence to understand whether a connection is malicious (for instance, malware calling an external IP address). With this combination, attackers have nowhere to hide.