Why Cyber Threat Visibility Is Critical for the Dynamic Workforce

Introduction 

In my role, I am fortunate enough to work with some of the brightest people working in security. 

I recently penned a blog post about organizations embracing the idea of a dynamic workforce where employees can access resources and perform their job from anywhere. However, there are considerations that must be made to protect the organization from new cyber threat visibility challenges and vulnerabilities introduced by the model of remote work. 

This blog post is inspired by the conversations I’ve had with Halim Abouzeid, System Engineer. He shared with me some perspective based on conversations with customers. 

Cyber Threat Visibility: Key Insights for Security Operations Teams 

Brian Robertson: Halim, we know with the current state of the world, a dynamic workforce is critical for keeping businesses running and productive. What is the one thing you would say is most important to have to make this successful? 

Halim Abouzeid: In order to support a dynamic workforce, and keep malicious actors at bay, visibility becomes your best asset. Cyber threat visibility cannot only be within the physical confines of your organization, it needs to be extended to the end users everywhere. 

How to Improve Threat Visibility Across Network, Endpoint, and Cloud 

Robertson: Can you outline some things organizations should consider when trying to gain that visibility? 

Abouzeid: There are six ways organizations can gain and improve their threat visibility: 

• Organizations should consider monitoring packets that traverse the network from user device, across the network infrastructure and to the cloud, including VPN links and any other entry point into the corporate network. This strengthens network visibility. 
• Organizations should monitor activity across all endpoints, on and off the network, for deep visibility into their security state, and properly prioritize alerts when there is an issue. 
• Organizations can improve rule-based or signature-based threat detection systems with the addition of advanced machine learning techniques using user and entity behavior analytics and endpoint behavior analytics to detect anomalies that could suggest malicious intent and emerging threats, enabling advanced threat detection. 
• In responding to an incident when it is detected, time is of the essence. Streamlining activities and processes within the security team is critical to quickly and efficiently getting to the heart of the problem. 
• Context and threat intelligence are key, not only to increase detection capabilities based on known indicators, but also by providing confidence levels towards identified indicators and bringing in context around the identified attack and its threat actor. 
• Organizations can even go as far as having machines automatically act on the security analysts’ behalf to mitigate incidents before they impact your organization. 

How NetWitness Delivers Real-Time Visibility and Advanced Threat Detection 

Robertson: How would you describe NetWitness Platform’s ability to help organizations focus on those areas? 

Abouzeid: NetWitness Platform provides real-time visibility tools into network traffic across all internal (east-west), internet-bound (north-south), virtual infrastructure and cloud computing environments paired with deep process-level endpoint visibility. 

This enables the platform to deliver SIEM/NDR visibility, helping detect intrusions as they are happening inside and outside the organization. Multiple types of behavior analytics detect anomalies across the network (whether on encrypted channels or not), suspicious activities of machines and users, as well as abnormal activities across applications, no matter where they reside. 

Once detected, a prioritized and automated response to the full scope of the attack helps defend against current and future threats. 

Use Case 

Phishing Detection with Full Threat Visibility 

Robertson: Can you provide a couple examples? 

Abouzeid: A common one is phishing attacks. Phishing attacks take advantage of varying security awareness, lack of security controls or even bridging the home network to gain access to the corporate environment. 

NetWitness Platform provides immediate threat visibility into the entire enterprise, at every step of the attack, with a synergistic view of log, network and endpoint data presented in a single pane-of-glass for security analysts, aligning with modern SOC visibility solutions. 

Through respond functionality, it groups suspicious activities together into an incident for analysts to easily visualize. 

Detect Unusual Process Activity with Endpoint and Network Visibility 

NetWitness Endpoint allows an analyst to identify the email client application triggering a succession of processes and commands that it does not usually perform on a given workstation. 

Having full payload access enhances network visibility, allowing analysts to reconstruct sessions and confirm threats quickly, improving advanced threat detection outcomes. 

If the phishing attack was successful and the user machine was infected, an anomaly can be triggered due to abnormal encrypted communication between entities. 

Automating the investigation and remediation process can be an enormous security multiplier for analysts, especially with the dynamic workforce opening new attack vectors. 

Automating Response with SOC Visibility Solutions 

NetWitness Orchestrator acts as a critical layer in modern SOC visibility solutions, enabling automation across detection and response workflows. 

It can monitor a central mailbox, extract indicators, link them with threat intelligence, and automate response actions such as ticket creation, escalation, and notification.