Using AI to Simplify Network Detection and Response

Today’s extended and mobile workforce presents a significant challenge for security operations teams. In 2020 the mobile workforce was primarily working from their homes, but as the world slowly returns to pre-pandemic normalcy, business travel will increase. Employees, contractors, partners, and customers continuously on the move connect to corporate assets from multiple networks in a day, ranging from coffee shops and hotel Wi-Fi networks to company guest networks in an office. Compounding the complexity is that most employees have multiple devices—at least two in the form of a cellphone and laptop—they connect with. This provides a significant challenge for security operations teams as they shift from protecting a fixed remote workforce to a fully mobile workforce.

Sales Engineers Are a Security Nightmare

I can’t imagine a more challenging group of employees for security operations teams to manage than sales engineers. The sales engineer role typically requires employees to be regularly on the road, which means they routinely connect remotely to corporate assets. When I was a sales engineer, I would oftentimes find myself connecting my laptop to my company’s network from two or three separate Wi-Fi networks in a single day such as hotel networks, customer guest networks, or cellular network as I tethered my laptop to my phone.

Furthermore, sales engineers often have access to key production environments and administrative tools that can reside in both on-premises and cloud environments. As a sales engineer, I had access to many production systems from customer environments to backend administrative platforms, such as billing and provisioning, which allowed me to do my daily tasks. If an attacker had been able to compromise my laptop, phone, or general identity on the corporate network, they would have had undetected free reign to many key systems and an excellent starting point for lateral movement.

This is but one example of an employee that can cause havoc for security operations teams. Identity on a network has increasingly become a complex mess, and security operations teams have been tasked with mapping these complex identities to security policy. However, one constant is that packet data and logs will be the source of truth of any activity on the network. While there are myriad approaches and tools to facilitate and mitigate the risk of remote user connectivity, a strong security program should include account and privilege monitoring and some form of packet data analysis. However, gathering insights from interactions on dynamic and complex networks can be a real challenge.

Artificial Intelligence Simplifies Complex Networks

One company tackling this problem is Vectra. The TAG Cyber team and Vectra recently met to discuss how combining packet metadata with cloud logs is the best source of truth for detecting malicious activity on networks. Vectra is a network detection and response platform that uses artificial intelligence to detect, analyze, and present malicious behaviors found in networks, cloud environments, SaaS platforms, and IoT devices to security analysts. The detections are enriched with the security context needed to make fast and accurate security decisions. By using artificial intelligence algorithms, Vectra reduces the number of alerts generated from the large datasets analyzed in complex networks. This context associates malicious behaviors to host devices, workloads, user, and service accounts allowing security operations teams to understand the scope of attacks, and prioritize response based on risk and privilege. Vectra does not require decryption, so analysis can be secure and maintain privacy regardless of data source.

However, like any artificial intelligence solution, the artificial intelligence algorithms are a black box which means the reasoning for decisions can be hard to deduce. Vectra addresses this problem by providing their stream of enriched metadata to data lakes or SIEMs and providing manual hunting capabilities on historical data, allowing security analysts to investigate decision details or create custom detections where required.

We at TAG Cyber have seen artificial intelligence and machine learning algorithms applied to many areas in cyber security—some applications being more warranted than others. The algorithms are most appropriate when processing complex data sets, and that is exactly how Vectra provides value to threat hunters and security operations teams. The network detection and response marketplace is competitive, but Vectra’s artificial intelligence approach positions them as a strong market contender.