COI Report – Part VII
Page 255 of 425
of data analytics tools. This should be addressed by acquiring the necessary technological solution to maximise the use of NetFlow information.
736. With the necessary analytical tools, NetFlow can provide anomaly detection and investigative capabilities that can be used in incident response, for example, to uncover behaviour that may have been occurring over along period. When a security incident is being investigated, the flow database can be used to determine what IP addresses accessed a system, the times the system was accessed, as well as quantifying the impact on related systems that the host conversed with on the network, before and after the incident. Without automated analytics, trawling through huge volumes of flow-data would be nigh impossible to determine the actions of along term threat actor residing within a network, who may have been dribbling out stolen data over a prolonged period. Vivek emphasises that NetFlow alone is insufficient – in the context of traffic leaving the network perimeter, he stated that analytical intelligence needs to be applied to help determine if the outbound traffic is suspicious, and to determine if the data is indicative of beaconing by malware. Without this analytical ability,
NetFlow alone would result in an information overload.
737. However, it must be noted that NetFlow itself does not contain any content of the observed traffic. The Committee was informed that IHiS has begun efforts to enable NetFlow at routers and switches to collect traffic information for traffic profiling and intrusion detection, in particular, those relating to traffic moving laterally from server to server.
37.3 Effectiveness of current endpoint security measures must be
reviewed to fill gaps exploited by the attacker
738. Endpoint security protects desktops, laptops, servers etc. from malicious internal and external threats. As security technology becomes more sophisticated, so do attackers tools, tactics, and methods. Attackers are now adept at discovering the weak points in enterprise security strategy – and increasingly, endpoints are being targeted. However, asset classification is often still used as the means by which to prioritise risk, resulting in endpoints (assets of low priority
|
