How to Use the Network: Cybersecurity’s Secret Weapon

As recently as 2021, it took attackers an average of 44 days to progress from initial compromise to data exfiltration. The latest attacks, however, can run their course in a matter of hours. That accelerated timeline is a big problem for organizations, as the global median dwell time stands at 10 days, according to the M-Trends 2024 Special Report from Mandiant. Once a breach has been discovered, it must be investigated and remediated, and publicly traded companies must disclose the breach to the SEC within four days of determining materiality.

That’s a lot for an organization to accomplish in a short period of time, and for many, the math doesn’t add up. But there’s priceless data every organization has that can help, although few use it to its full potential: the network.

The Value of the Network in Cybersecurity

Typically, security professionals are concerned with where attackers will end up: endpoints, domain controllers, databases containing sensitive information, and so on. So it follows that endpoint detection and response (EDR) and SIEM tools are among the most popular security solutions. But the trouble with these tools is that they only tell you when the attacker has landed, not where they started, how they progressed, or what systems they touched in the process.

Unmanaged devices, like IoT devices or laptops belonging to guests or contractors, either can’t run endpoint agents, or you don’t have the authority to install them. What’s more, sophisticated threat actors are finding ways to evade EDR, going so far as to create a lucrative black market for so-called EDR killers.

And while logs are a necessity for compliance, the SIEMs that collect them are slow to process and analyze, and they trigger a lot of false positives. Not to mention that attackers frequently disable or delete logs to hide their activity.

Network telemetry—more specifically, combining network data with full packet capture and analysis—fills in crucial gaps left by EDR and SIEM. That’s because all activity must cross the network, and network traffic can’t be tampered with. So if you’re monitoring the network, attackers have no place to hide.

Breaking Down the Barriers to Using Network Data

Historically, network data has only told part of the story, with the truth lying within the packets that traverse networks every day, and trying to implement full packet capture (PCAP) and analysis was out of reach for most organizations. It’s simply too much data. Recording east-west traffic at scale was functionally impossible, appliances couldn’t handle the volume of network traffic, and organizations didn’t have the storage or compute resources needed to actually use the insights hidden within the mountain of data.

That’s no longer the case. The RevealX™ network detection and response platform from ExtraHop® unlocks the power of network telemetry, including full network packets. Efficient packet storage alleviates the heavy resource tax, while powerful, cloud-scale AI and machine learning algorithms surface known threats and detect suspicious behavior in real time—something a traditional SIEM can’t do.

RevealX provides rich context that SIEM and EDR solutions can’t, like where and when an attack began as well as how it progressed. This context gives investigators time back and enables a proactive security posture. RevealX also decrypts more than 90 network, application, database, and internet protocols, including Microsoft Active Directory and remote access protocols, which means even encrypted traffic can’t cover the traces of attacker activity.

In fact, the full PCAP and analysis provided by RevealX allows security analysts to know with certainty whether a particular incident requires a breach disclosure. Fragmented packet data is transformed via full-stream reassembly into structured data that reveals a startling amount of detail. Analysts can see not only that a SQL query was run on a particular server, but also whether that query returned results, saving days of forensic research to determine if sensitive data, like personally identifiable information, was impacted.

Full PCAP also enables organizations to maintain resilience during breach investigation and remediation, especially if the organization is impacted by ransomware. Typically when an organization discovers ransomware, the first step they often take is to shut down their entire infrastructure to prevent the ransomware from spreading further. This severely disrupts normal operations and often leads to revenue loss and customer churn for commercial organizations. But the ability to capture and reassemble full packets into a meaningful attack narrative in real time empowers organizations to identify precisely which systems were compromised and make more informed decisions about which systems need to be shut down and which can remain online to limit disruption and maintain resilience.

Not all network detection and response solutions are alike. Just like EDR can only show you what’s happening on endpoints, some network monitoring tools only collect network metadata or NetFlow. This data can certainly be useful to indicate an attack, but it’s still not the whole picture. The difference between only looking at metadata, like packet headers, and full packet capture is the difference between a traffic camera that tells you a speeding car is red and one that captures the license plate and a photo of the driver, too. Metadata gives security analysts and incident responders partial information from which they can draw inferences that may or may not be correct, whereas full packet capture and analysis provides them with a definitive source of truth.

The level of network visibility that RevealX provides confers tangible benefits to organizations. Forrester Consulting conducted a Total Economic Impact Study of RevealX that modeled the cost, benefits, ROI (193%, if you were curious), and value of RevealX over a three year period. The results show a massive boost to productivity through an 86% reduction in time to remediation, an 87% reduction in time to resolve threats, and a 92% reduction in time to resolve outages.

Every minute matters during a cyberattack. With RevealX on your side, you’ll get the most out of each one.