Gigamon Observability: Building Strong Defenses from the Network at Every Step of the Cyberattack Chain

In today's threat landscape, the importance of network traffic visibility cannot be overstated. According to Mandiant's 2024 M-Trends Special Report, the average dwell time for attackers in 2023 was ten days, and to make things worse, when ransomware goes undetected at early stages, it only takes an average of five days from the time of initial intrusion to when the ransom demand is made. With threats becoming more sophisticated and prevalent, it is crucial for organizations to strengthen their defenses by gaining a clear understanding of the traffic flowing through their network infrastructure.

By having comprehensive visibility into network traffic, organizations can identify and mitigate security risks, enhance performance, and ensure compliance with regulations. If you want to learn more about these security fundamentals, check out the webinar "Cybersecurity Fundamentals: Building Strong Defenses."

One of the key benefits of gaining comprehensive network traffic visibility is the ability to detect and respond to security threats in real time. By monitoring network traffic in all its forms - North-South, lateral (East-West), encrypted-decrypted, ingress-egress, IoT-OT - organizations can identify unusual patterns or anomalies that may expose a security incident at early stages. This proactive approach allows timely action to be taken to mitigate the threat and minimize the impact on the organization.

Figure 1 explores the attack progression of a data exfiltration scenario and how comprehensive network traffic visibility more quickly exposes the presence of threats at multiple stages:

1.Initial Access: The threat actor gains initial access. This could be started by a phishing campaign, as an example. At this point, it will be a race against the clock for a security team to reduce the impact of the incident. Prompt identification of initial access artifacts, such as initial compromised device, source of attack, and time of intrusion are critical for effective threat containment.

Gigamon helps security tools like SIEMs, providing immediate visibility into network traffic in all directions and application-level data, so SIEMs can accelerate the detection of abnormal traffic patterns and applications behind any suspicious network traffic with detailed metadata containing protocols and ports used, source and destination of traffic, and time stamps.

2. Lateral Movement: Once the perpetrator establishes initial access, additional reconnaissance actions usually start, forwarded by lateral movementtechniques, such as session hijacking, exploitation of remote services, and lateral tool propagation, to expand the attacker's footprint. In addition, advanced attackers can start disguising lateral movement techniques within traffic, and it is common to see them leveraging encrypted traffic to complete this phase.

After infiltration is achieved, attackers know which logs need to be tampered with to cover their steps and extend their presence undetected in the environment.

Gigamon helps reduce the detection time through visibility of network traffic (encrypted and unencrypted) in all directions (ingress-egress, North-South, lateral East-West). Gigamon takes the load for decryption so security tools like NDRs become more effective for understanding active connections, exposing techniques like RDP misuse and leaving intruders with no places to hide, even within encrypted traffic.

In addition, Gigamon solves another big challenge briefly addressed above: the single source of truth when your security relies purely in logs - keep in mind that logs could be spoofed. Detections from the network provide an independent source of truth in case security controls are disabled or evaded by threat actors.

3.Command and control: At this stage, the attacker is getting closer to their ultimate data exfiltration objective. The main objective for the perpetrator is to establish these channels and stay undetected as much as possible.

Gigamon helps to expose command-and-control channels with visibility into all network traffic. This helps NDR tools more quickly expose advanced disguising techniques like traffic into non-standard ports, protocol tunneling exploiting SMB or DNS, or programmatic traffic patterns from offensive remote access tools.

4. Exfiltration: This last stage of the attack progression is probably the one that can cause major damage to any organization, when data exfiltration into places like the dark web starts. Some attacks are so well-orchestrated that it may take months for a security team to uncover the data leakage.

Gigamon makes security tools more effective to uncover these threats with visibility from the network on outbound and lateral traffic, protocols, ports, and applications, exposing advanced exfiltration techniques like scheduled transfers, alternate protocols, or even exfiltration on cloud storage resources.

In addition to security and performance benefits, network traffic visibility also plays a crucial role in ensuring compliance with industry regulations and standards. By having a clear understanding of the traffic flowing through their networks, organizations can demonstrate that they are taking the necessary steps to protect sensitive data and maintain the integrity of their network infrastructure.

How Can Organizations Strengthen Their Defenses With Network Traffic Visibility?

Visibility is a fundamental component of any security program. The first recommended step would be to invest in infrastructure that provides comprehensive insights into all types of traffic traversing the network in real time. Security solutions are only as good as their visibility.

Moreover, organizations should prioritize the implementation of security best practices, such as encryption, to ensure that sensitive data is protected as it traverses the network; therefore, make sure your network infrastructure is flexible and not only decrypts but also encrypts and re-encrypts network traffic as needed.

Gigamon provides a unique advantage offering an option to get plaintext visibility into all encrypted communications before the payload is encrypted - leveraging eBPF and standard encryption libraries, so no decryption would be required if you are unable to decrypt the traffic for any reason. Regular security audits and assessments can also help identify any gaps in defenses and ensure network traffic visibility is being leveraged effectively.

In conclusion, network traffic visibility is a critical component of a strong defense strategy in today's world. By gaining comprehensive insights into network traffic, organizations can effectively leverage their security tools to proactively identify and mitigate security threats, optimize performance, and ensure compliance with regulations. With the right network traffic infrastructure, security tools, and best practices in place, organizations can build a robust defense posture capable of withstanding the ever-evolving threat landscape.

Don't wait - download our free 2024 Hybrid Cloud Security Survey, benchmark your preparedness level, and contact us to review your hybrid cloud security strategy with the help of our experts.