Check out all of our upcoming events

Blog

Get news about our products, which events we are attending plus industry insights and commentary

What is Multi-layered Threat Detection and Mitigation?

Written by Sarah Chandley on Friday, 18 January 2019. Posted in Cyber

The view of the cyber threat landscape is very different depending on your perspective, this perspective is defined by what type of network you are protecting. Targeted cyber-attacks use an increasing catalogue of clever tactics and innovative attack vectors which are reshaping corporate and governmental security strategies, while wreaking havoc in consumer markets. Remaining secure in 2019 depends on many factors but ultimately defenders who will see the most success will be those who are able to identify and mitigate threats at a more granular level. The constant and ever increasing number of cyber-attacks facing organisations requires cyber security analysts and forensic specialists to detect, analyse and block cyber threats in almost real-time.

In order to adequately protect networks, defenders need access to tools and techniques that provide advanced multi-layered threat detection and agile automated mitigation in real-time to remediate cyber security incidents. And speed up the collection and analysis of cyber security incident related information for accurate forensic investigations. This however, is easy to map out at a corporate level but at a practical level is much harder to implement.

So how should defenders approach real-time threat detection and mitigation? The fundamental starting point should always be network visibility. The ability to see and understand network traffic is crucial to a defenders ability to block an attack, the most efficient and effective way is to use unsampled network flow data such as NetFlow, IPFIX or sFlow collected from probes, switches/routers and network infrastructure. This good practice rule is applicable whether your network size is 1GbE or 400GbE, network visibility is all about creating a stable platform for your security infrastructure such as intrusion detection systems, analysis tools and SIEM’s to work from.

Another important weapon in a defenders toolkit is Cyber Threat Intelligence, this accumulated data gives valuable context and relevance to large amounts of data, enabling agile and improved detection of advanced threats. The UK’s National Cyber Security Centre (NCSC) categorises four type of threat intelligence; tactical, technical, operational and strategic. Together these four segments provide a clear view of the threat landscape from attacker methodologies, tools, and tactics to indicators of specific malware, details of a specific incoming attack and high-level information on changing risks.

Threat intelligence platforms built on 'Cyber Threat Intelligence' have become a critical security tool, using global security intelligence to detect malicious activity e.g. identifying known and zero-day threats such as protocol and application misuse, data exfiltration, DDoS attacks, malware and crimeware, botnet activity and network misuse/contamination inside a network. Defenders should look out for tools that consolidate threat intelligence from multiple sources, automate identification and containment of new attacks, security analytics, and integration with other security tools.

A smart cyber security strategy combines network visibility with threat intelligence but also the ability to block potential security incidents and risks as they happen, ideally this function should be automated to reduce resource requirements and maximise investigation work flow for post attack analysis. The question is how do you go from alert to triage to fix? The process of triaging or sorting the alerts in to relevancy is often made difficult by the vast amounts of alerts that a network can generate, add in to this mix, false positives and alerts that aren’t grouped together, making it difficult to get any real value from alerts and potentially missing important incidents.

One way around this is to use tools such as the TDAC from Telesoft that can categorise and group network infrastructure by area according to IP address, service, application, physical or logical attribute, creating silos or entity sets of network information and alerts. Defenders can use entity sets to prioritise and automate response to incidents and gain contextual insight about an alert, accelerating the reaction time of a threat intelligence platforms. This enables rapid correlation of key indicators of compromise (IOCs) such as vulnerability scoring, attack density and destination IP etc.

Executing smart alert triaging using entity sets allows defenders to identify a priority alert and keep key infrastructure functioning in the face of an attack. In most organisations a cyber emergency response team (CERT) will be responsible for this action, automating some of this activity will allow them to focus resources in other areas. One way to do this is to deploy next generation security tools that utilise Border Gateway Protocol (BGP) Flowspec, BGP-FS is the protocol all internet routers use to talk to each other. BGP Flowspec uses the BGP protocol to distribute flow specification filters to network routers, so when a threat is identified, the entity set or infrastructure inputs a rule to block or deny traffic related to the threat by its source, destination and a number of other characteristics. The malicious traffic is systematically and temporarily filtered off the network, blocking threats globally before they have time to form fully or scale and affect users.

When total network visibility, global threat intelligence, smart alert triaging and the ability to block cyber-attacks are combined they create a proactive agile multi-layered security strategy that keeps day-to-day operations running smoothly and important data safe. Telesoft offers a number of cyber security products for flow monitoring and cyber threat visibility, talk to us to about detecting and blocking threats in your network…This email address is being protected from spambots. You need JavaScript enabled to view it. 

About the Author

Sarah Chandley

Sarah Chandley

Sarah is an experienced B2B technology marketing professional, creating content for the Cyber Security, Telco and Government Infrastructure sectors. 

Information cookies

Cookies are short reports that are sent and stored on the hard drive of the user's computer through your browser when it connects to a web. Cookies can be used to collect and store user data while connected to provide you the requested services and sometimes tend not to keep. Cookies can be themselves or others.

There are several types of cookies:

  • Technical cookies that facilitate user navigation and use of the various options or services offered by the web as identify the session, allow access to certain areas, facilitate orders, purchases, filling out forms, registration, security, facilitating functionalities (videos, social networks, etc..).
  • Customization cookies that allow users to access services according to their preferences (language, browser, configuration, etc..).
  • Analytical cookies which allow anonymous analysis of the behavior of web users and allow to measure user activity and develop navigation profiles in order to improve the websites.

So when you access our website, in compliance with Article 22 of Law 34/2002 of the Information Society Services, in the analytical cookies treatment, we have requested your consent to their use. All of this is to improve our services. We use Google Analytics to collect anonymous statistical information such as the number of visitors to our site. Cookies added by Google Analytics are governed by the privacy policies of Google Analytics. If you want you can disable cookies from Google Analytics.

However, please note that you can enable or disable cookies by following the instructions of your browser.