<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
Skip to content

Visibility Solutions

Garland Technology is committed to educating the benefits of having a strong foundation of network visibility and access. By providing this insight we protect the security of data across your network and beyond.

Resources

Garland Technology's resource library offers free use of white papers, eBooks, use cases, infographics, data sheets, video demos and more.

Blog

The TAP into Technology blog provides the latest news and insights on network access and visibility, including: network security, network monitoring and appliance connectivity and guest blogs from Industry experts and technology partners

Partners

Our extensive technology partnership ecosystem solves critical problems when it comes to network security, monitoring, application analysis, forensics and packet inspection.

Company

Garland Technology is dedicated to high standards in quality and reliability, while delivering the greatest economical solutions for enterprise, service providers, and government agencies worldwide.

Contact

Whether you are ready to make a network TAP your foundation of visibility or just have questions, please contact us. Ask us about the Garland Difference!

Threat Hunting and Incident Response in Azure Environments

When cyber-attacks cross the network, grabbing quality and relevant data from network traffic is essential for security operations. This is especially pertinent in cloud environments where security teams have limited or no traffic visibility, leaving them blind to malicious attacks. Without pervasive visibility into and deep insights from network traffic, threat hunting and incident response teams cannot be effective. Garland Technology recently spoke to Vijit Nair, Senior Director of Product at Corelight, to discuss the importance of threat hunting and how, with the right tools and direction, it’s more accessible than you might think. 

1. How would you define the incident response process?

 Incident response is the process by which organizations respond to an intrusion. Security teams must have clear plans and well defined playbooks that help them move rapidly to respond to an incident and limit the damage. For this, they must be armed with high fidelity data that allows them to triage alerts, dismiss false positives, escalate actual incidents and deep dive into an investigation.
 

2. Before we dive into specific cloud environments, let’s look at the bigger picture of security.  Can you explain the difference between threat hunting and incident response?  

Threat hunting is a hypothesis-driven activity, searching for threats that have gone undetected and are currently hiding in the network. Threat hunting typically starts with a hypothesis of potential issues in your network and then you dive into the data to look for something interesting. Incident response comes into play when an intrusion detection system detects an issue and generates an alert and is a reactive approach, whereas threat hunting is proactive. Threat hunting may trigger an incident response if something malicious is detected. Here is a Corelight's Threat Hunting Guide organized around the MITRE ATT&CK framework.


3. The shift in cloud platforms like AWS, Google, and Azure has come with many security difficulties. When dealing with these cloud environments, what makes threat hunting so difficult?

In a cloud environment, the shared responsibility model limits visibility, while distributed cloud services and hybrid environments expand the attack surface. Automation and scale amplifies misconfiguration turning it into the single biggest threat to cloud security. Privileged Identity and Access Management (IAM) account for 70-80% of all data breaches. Enterprises migrating workloads into the cloud are responsible for security of the applications, but don’t have the kind of visibility needed to secure them. 

Threat hunting in the cloud environment requires comprehensive visibility, which is challenging in an IaaS (Infrastructure as a Service) environment. Security Op teams need to ensure that logging is configured (and stays configured) on every service, ingest log types from every service into their SIEM, navigate poorly designed schemas, and correlate across logs from different cloud environments. 

>> Read Now: How to Overcome Packet Visibility Challenges
in the Cloud [Free Whitepaper]


4.How can security teams mitigate the difficulties of cloud risks?

Security teams must use network monitoring to complement application level visibility. With a bird’s-eye view of the cloud environment, organizations can shine the light on high value assets, privilege boundaries between multi-cloud environments, and other choke points. Network monitoring provides a judgement-free view of the environment and is cloud provider, application and services agnostic. Open source tools such as Zeek have long been established as the de facto standard for continuous network security monitoring with a schema that is purpose built for SOC teams. The extensibility of Zeek and its community-developed content allows you to easily enrich data with context and correlations.


5. Currently, each cloud platform has a different way of going about security. What about Azure environments makes security and threat hunting challenging?

A lack of application level visibility and comprehensive logging is why organizations look to network monitoring for a normalized view of their environment. Packets don’t lie and IT and security professionals need this level of visibility and access for their connected applications to detect security anomalies and analyze network performance. This visibility has been notably absent in Azure, leaving IT teams to examine small packet captures for individual hosts using outdated tools such as tcpdump and Microsoft Network Monitor, instead of a native solution.


6. How does packet-level visibility such as the Garland Prism vTAP expand the Corelight solution in cloud environments? 

One major challenge that exists with the cloud is delivering packet-level data to tools. With data crossing public internet circuits, there is likely to be some degree of packet loss. Corelight requires visibility into all the traffic data traveling throughout the environment. That’s why we work with Garland, in this instance with Garland Prisms, to help drive accurate advanced packet data that Corelight sensors need to detect and respond to malicious data. 


7. How can threat hunting teams use this visibility to secure their cloud environment? 

A great place to start is the recently released MITRE ATT&CK Cloud Matrix for enterprises. This matrix covers the cloud-based TTPs that adversaries employ. Additionally, Corelight has put together a tool that identifies TTPs in the ATT&CK matrix where Corelight data can be used to discover and thwart attackers. 

 

For example:

  • T1020 – Automated Exfil: Data exfil from Cloud Storage is one of the most common sources of data breach experienced in Cloud. The ‘producer-consumer ratio’ package helps defenders identify the typical direction and volume of data transfer between two hosts and to determine when it changes.
  • T1110 – Brute Force: IAM account compromise allows attackers to move through the cloud environment undetected, while wreaking havoc. Corelight’s data can help monitor password guessing or brute-forcing attacks over SSH. Even with encrypted traffic, Corelight relies on user behavior rather than content to glean irrecoverable insights from the traffic.


8. You mentioned new threat hunting capabilities in the Corelight platform. Can you tell more about Corelight’s recent expansion in your current offerings? 

Yes! We recently updated the capabilities of the Corelight Cloud Sensors based on changes in encryption data in the cloud. Encrypted traffic continues to rise. Defenders need to be equipped with threat hunting tools to separate legitimate behavior from malicious activity when decryption is not an option. The expansion is called Corelight Encrypted Traffic Collection (ETC), which expands defenders’ incident response and threat hunting capabilities in encrypted environments.. Corelight ETC is awesome because it contains numerous packages developed by Corelight’s Research Team, such as the ability to infer keystrokes over SSH connections, as well as curated packages from the open-source Zeek community. We were excited to roll this out earlier this year.

9. With the consistent evolution of cloud environments and threat hunting, we obviously haven’t seen the end - what do you see as an emerging trend for cloud security? 

Cloud adoption will continue unabated as enterprises accelerate their migration. Cloud services will become a lot more ubiquitous and distributed with adoption of microservices and serverless architectures. We expect cloud security challenges to grow at the same pace. Organizations will be forced to shift from a compliance / prevention centric mindset to establishing mature SOC teams capable of threat hunting & incident response to take on the emerging threats in cloud security.

Looking to add  this Corelight solution  to your cloud deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do!

Cloud visibility solutions packet capture garland technology

Written by Vijit Nair

Vijit Nair is a Sr Director of Products for the Cloud Portfolio at Corelight where he focuses on building products that extend Corelight’s NSM visibility into public and private cloud environments. Previously as Director of Product - Cloud Segment at Juniper Networks, he managed their portfolio spanning Data Center Switching, Cloud Networking & Security. Prior to that, as an engineer, he built and shipped some of the fastest routers in the world and holds several patents in networking. He has a Masters from Penn State and a MBA from UC Berkeley Haas.

Authors

Topics

Sign Up for Blog Updates