The cybersecurity spending juggernaut continues at full speed — a projected $124 billion globally this year, according to Gartner, representing an 8.7 percent increase over 2018. That’s a lot of investment, yet each company’s ROI depends not just on how much gets spent, but also on what.
For many organizations, the what tends to be security software applied to endpoints, event logs and other network components. That’s understandable, given the need to safeguard what happens across increasingly complex networks amid the growth of mobile, BYOD, IoT and other trends. However, many organizations do not realize that blind spots still exist within their networks — and cyber defenses are incomplete without an additional, intensive focus on the network traffic itself.
Incomplete Security
Let’s take a closer look at how a network traffic security focus provides a more complete and proactive picture of cyber exploits and how to guard against them. Endpoints are a map to where and how you connect to the outside world. That’s why most organizations understand the need for endpoint visibility and security. But that’s not a foolproof strategy.
The problem is that when we talk about endpoint tools, we’re typically talking about software agents. And while this can bring new levels of transparency, software — whether it’s designed and sold as endpoint visibility, security or both — is still software that can be exploited. Logs, on the other hand, are event summaries of what occurs on the endpoint; unfortunately, they can be exploited in a similar way.
Think back to the Mad Magazine’s Spy vs. Spy comics and the endless cycle of one-upmanship between the black hat and white hat agents. The best way to understand endpoint vulnerability is to apply that one-upmanship model to who can defeat the other. It’s not easy, but if a black hat threat actor can introduce malware and load it ahead of the security software, then the malware can manipulate what your software sees and the logs it may produce.
Endpoint tools also must balance everyday business activities of the user with control. For most companies, this means a tradeoff between draconian controls on the endpoint, versus the ability of users to use new technology or methods to meet their business goals. In this environment, a black hat that can mimic its activity to look like everyday user traffic, often can slip by endpoint controls without it knowing.
Why Network Traffic Completes the Picture about Cyber Threats
Gaps in endpoint and log security software visibility and potential compromises to endpoint security software allow threat actors to hide their activity and slip you a Matrix blue pill to distort your sense of reality with your network. Even the best endpoint and log security software solutions can be circumvented in this way, introducing blind spots within a company’s defenses.
Furthermore, there’s an entire swath of the connected world made up of industrial IoT and operational technology. These are digital ecosystems involving hard-to-reach devices, obscure operating systems, limited resources and extremely limited down times that make frequent software updates or the addition of endpoint agents next to impossible. Thankfully, organizations can shift their focus to analyzing actual network traffic for a clear and unadulterated view of the true threat landscape.
Why is analyzing network traffic so much more accurate? Because networks are the common highway where all traffic rides. Black hats can’t log into a system without using the network. That means no amount of obfuscation amid software, services or other network components can erase a threat actor’s tracks — provided you have a clear and accurate view of the raw network traffic and the patterns within it.
This ability to analyze network traffic for malicious activity is a powerful and proactive way to guard against cyber threats, but it’s easier said than done. The process is hardware intensive, with challenges around collection and analysis of all that network data that get exponentially harder at scale. We’ll tackle these challenges — and chart a road map for ROI and success — in a future post.