Detecting Attacks That Other Solutions Miss

11 May

Detecting Attacks That Other Solutions Miss

in Blog, Lessons Learned

by Nikfar Khaleeli

Through regular conversations with our customers, we have learned about new ways they are using Niara to detect attacks. One such way is by using third party alerts to detect attacks that have been missed by other solutions.

To elaborate, one customer’s perimeter defense system (e.g., a firewall) had alerted the security team about malware affecting an employee. Out of curiosity, one of the analysts decided to look at the same alert using Niara and, with a single click, realized that the scope of the infection was significantly larger than what the security team had originally thought as many other employees’ devices had also been affected.

Despite companies investing significantly in cybersecurity, it’s become an accepted fact that it’s not about “if” defenses are compromised, but “when.” There are so many ways it can happen. For example, an employee using a work laptop on an unsecured WiFi network might click on a malicious attachment in an email that appears to have come from the HR department, resulting in her device being infected. When the user next logs in to corporate network, hackers could use this compromised device to move laterally and infect other devices, while remaining undetected. Just because an infection is not caught at the perimeter doesn’t mean that it isn’t within the network.

In this instance, the perimeter defenses hadn’t generated a warning when the other employee devices were infected. Fortunately, with Niara constantly working behind the scenes, analyzing diverse data (i.e., packets, flows, logs, files, alerts, threat feds) and correlating everything to users, hosts and IPs, the analyst was able to immediately see all the other employees and the associated devices that had been affected by the malware by simply clicking into third party alert in the Niara management console. Additionally, Niara integrates layered forensics with analytics and retains this supporting evidence for long time periods, much longer than traditional security monitoring solutions. This enabled the analyst to identify employees who had been affected by the malware for more than six months. Knowing who else had been infected was tremendously helpful for the security team, as it allowed them to quickly address the vulnerability on those employee’s devices.

There are many other stories detailing how customers are using Niara to detect advanced attacks. I’ll continue to highlight the ones that I think are really interesting, so stay tuned!

Tags: Blog, Lessons Learned