Be Sure to Whack Your Cybersecurity Blind Spots

Editor’s note: This is part one of a four-part series. For part two, see “Avoid Dead Reckoning: Why Zero Trust Requires Network Visibility,” part three, see “Precryption: The Zero Trust Prescription for Decryption, and for part four, see Harness East-West Visibility for Defensive Security.” This series is also available as an ebook.

Managing risk is a top priority for every business executive — and given the prevalence of successful cyberattacks, cybersecurity risk is at the top of the list of challenges facing every organization.

Managing cybersecurity risk is like playing a never-ending game of Whack-a-Mole — except the number of moles seems to be infinite, while your hammers are expensive and in limited supply.

Worst of all, many of the moles are smart.

Pounding away at where you expect the critters to pop up isn’t good enough. You must also recognize and target your blind spots.

After all, the blind spots are precisely where attackers — the moles — are looking to penetrate your network.

Identifying the Blind Spots

The starting point for any cybersecurity effort targets where you expect the attackers to strike — the holes in the Whack-a-Mole game board, so to speak.

These targets are endpoints — the computers, devices, and other equipment that can host endpoint detection and response (EDR) agents. By leveraging these agents, your EDR technology can whack the attackers whenever they attempt to breach an endpoint.

EDR, however, has plenty of obvious blind spots. The most obvious: any endpoint that can’t run an agent, either because the technology doesn’t support it or for some other reason, like a regulatory compliance restriction.

Other blind spots aren’t as obvious. The agents themselves, for example, can also present many blind spots, since bad actors can compromise or disable the agents.

Software drivers also have blind spots. When users inadvertently install their own vulnerable drivers on their devices, EDR solutions are woefully unprepared to deal with the resulting vulnerabilities.

Enter extended detection and response (XDR). XDR goes beyond agents, collecting logs and other security telemetry from endpoints, cloud workloads, email, and other sources. It’s basically an evolution of the EDR market.  XDR then uses artificial intelligence (AI — machine learning in particular) to parse and correlate ingested data to automatically detect threats.

XDR works similarly to security information and event management (SIEM) platforms that also collect and correlate log data to generate alerts and identify potential security issues.

XDR can do everything EDR can do and more: It can extend EDR protection beyond endpoints to cloud workloads, servers, email, and containers.

And then there’s network threat detection and response (NDR). NDR offers a centralized and automated system for analyzing and responding to security incidents, providing protection against both known and unknown threats that may traverse the network.

Implementing NDR enhances your visibility into network blind spots and ability to effectively identify any suspicious entities or activities within your network.

Are XDR or NDR the solutions to your Whack-a-Mole problem? Not so fast.

Whacking the Remaining Moles

Since most enterprises run SIEM, NDR, and XDR in combination, you might think that they have all their blind spots covered.

That’s just what bad actors want you to think.

In reality, there are still several points of vulnerability in those obscure corners of your network where agents don’t fit and nothing generates a useful log file.

Examples of these remaining blind spots include corporate printers and copiers as well as various legacy technologies. Many of these devices have been in place for years and communicate via insecure protocols on the network.

East-West traffic — traffic communicating laterally within a network also — qualifies as a blind spot, since many malware-based attacks require lateral movement within the corporate network.

Encrypted traffic, ironically, also presents a significant blind spot. Encryption, after all, hides the contents of messages. If those contents include malware or other malicious data, then the mole you need to whack is invisible.

Perhaps the greatest source of blind spots for many organizations is hybrid clouds that are some combination of cloud-based and on-premises technology. Few cybersecurity tools focus on hybrid cloud challenges.

As a result, there is a lack of comprehensive visibility across hybrid and multi-cloud environments — and the moles keep popping up.

Beating the Moles at their Own Game with Deep Observability

Agent-based and log-based cybersecurity tools are necessary, but they aren’t sufficient. They simply leave too many blind spots for bad actors to compromise.

The missing piece: Solutions like the Gigamon Deep Observability Pipeline that provide packet-level intelligence on the network. Combining network-derived intelligence with agent and log-based tools gives organizations deep observability.

Organizations can use this deep observability to uncover threats that would otherwise fall into existing cybersecurity blind spots, even across hybrid and multi-cloud infrastructure, from the network to the applications.

Deep observability, in fact, is a foundational requirement for any Zero Trust architecture, because it exposes all the blind spots. Zero Trust assumes any information on the network is potentially malicious — a core part of the NIST SP 800-207 definition of Zero Trust.

Without deep observability, there’s no way for cybersecurity infrastructure to rigorously separate benign traffic from malicious.

The Intellyx Take

Try as we might to whack all the moles, there will always be the possibility that one will slip through. Perfect cybersecurity is impossible.

As a result, organizations must also focus on defense in depth — combining EDR (agents), SIEM (logs and other telemetry), as well as packet-level visibility to achieve the deep observability necessary to ensure that the security team is able to detect and mitigate any threats that find their way past their cyber-hammers.

Defense in depth combines comprehensive security protections with the observability necessary to detect and mitigate any compromise. It derives implicit trust from an organization’s cybersecurity controls.

XDR, NDR, and SIEM, either separately or together, aren’t good enough. By combining them without high fidelity, network-level visibility, you’ve actually reduced your ability to correlate relevant data. Not only will you leave some moles unwhacked, but you might not even see the ones that slip through.

Combining network insights with log-based tools to detect previously unseen threats to provide deep observability solves this problem and is core to Gigamon’s value proposition — what it calls its “better together” story.

With deep observability, you’ll be able to spot those pesky critters as soon as they poke their head above the board.

Copyright © Intellyx LLC. Gigamon is an Intellyx customer. Intellyx retains final editorial control of this article. No AI was used to produce this article. Image credit: Laura.