Defend the “when” with Network Intelligence

Visit for more information.

Defend the “When” with Network Intelligence

Perhaps the oldest cliché in cybersecurity is “it’s not if, but when you get compromised.” Cliché, yes, but also true. So, why then, are we all focused on defending the “if”? In this presentation, Bryan Lares will explore why the cybersecurity industry has it wrong and make the case for why we should defend the “when.”

Bryan will examine what opportunities exist for defenders when they focus their attention inside the perimeter and tap into the rich world of network intelligence. Bryan will discuss practical applications for packet-based insights and behavioral analysis: from fundamentals like asset inventory and other hygiene, to decryption of encrypted network protocols, and applying behavioral analysis to detect and continuously monitor attacker lateral movement and prevent breaches.


Bryan Lares is one of the newest members of the ExtraHop leadership team, serving as Vice President of Product. His team drives the global product strategy, roadmap and execution for ExtraHop’s groundbreaking Network Detection & Response platform Reveal(x).

Bryan has over 20 years of experience in enterprise technology and has built and scaled multiple platforms in the endpoint, network and cloud security markets. He has held product and strategy leadership roles at hyper-scale technology companies like Microsoft and Dell Technologies and growth stage unicorns like IronNet and SparkCognition. In addition, Bryan was also a member of the Digital and Technology Strategy practice at global management consulting firm Strategy& (Booz & Company).

Bryan holds a Bachelor of Science from Purdue University, an MBA from the University of Texas and lives with his family in Austin.

Join US and Canada cyber community members at the inaugural Austin Cyber Show Conference at Concordia University Texas, During the two-day cyber defense conference, participants can engage in discussions with peer leaders and industry experts on the cyber risks and challenges that businesses, leaders, developers, educators, and students face each day.

Short Clip Script:

What we’re here talking about is what we like to call the intelligence gap. So that is the time in between intrusion and breach. But why is it difficult to monitor what’s going on between intrusion and breach during that dwell time? One is 70% of devices are unmanaged two, at least 72% of attacks involve evasion and 67% of traffic as we know is encrypted. And there was some great discussion about that over the last hour or so. So it makes it really difficult to monitor what we call the mid game, which is between intrusion and breach.

Full Session Script:

It’s good to be here in person. I don’t know about most of you, but this is my first in-person conference in quite a while. It is fantastic to be here. For those of you that don’t know me, my name’s Bryan Lares. I’ve been in the Austin tech community for the last 15 plus years.

My journey is I’ve always been. In to data and in different analytics and different sides of it. Like a lot of you I started out building large scale data platforms and data warehouses, and started out as a data engineer. I progressed, I went to business school right down the street here at UT and then progressed to helping companies grow and differentiate through data. About 10 years ago I used what I learned to determine that cybersecurity is a fantastic industry. If you’re trying to get the most out of data, it’s a very data-driven industry and always say, signal noise is really important.

So I’ve spent the last 10 years of my life building analytics driven products in the cybersecurity space. I’ve been, as many of you that live here in Austin, I’m sure a similar path. I spent some time with the wonderful people at Dell technologies, and I guess my claim to fame there, if anyone works at Dell was I helped build the endpoint security business combination of acquisitions and some internal IP. And that was a fantastic experience. I was also co-founder of the cyber security business at spark cognition founded by Amir Hussein here in Austin. Amir’s one of the preeminent entrepreneurs here in Austin and myself and a guy named Gerald Cappleman, who now is the head of engineering there, we built that product platform together. And now I am the head of product for ExtraHop networks. If you’re not familiar with ExtraHop it’s, first of all, a fantastic company and a fantastic set of people it was founded by two gentlemen Jessie and Raja, who are experts in deep packet inspection and network analysis, it was actually founded as a network performance management tool. And over the last five years, they have built out the market leading cloud enabled cloud scaled, a network detection and response platform.

So that is a little bit about me. I am the V P of product at ExtraHop, and I am really excited to be here to talk to you. I live right down the street. I love the Austin cyber community. So bill, thank you for putting this on and I hope this continues to grow. And thanks for giving back to the Austin cyber community.

All right. I’m going to talk to you about two things here today. One I am going to talk to you about some of the challenges with what happens in between intrusion and breach and why is that important? And then two, I’ll teach the, how of, how do we monitor and gain visibility into into that activity?

Many cyber attackers really have the advantage. I think the overused trope is that an attacker has to be right once, a defender has to be a right every single time, but what’s really the impact of that. These stats hit me the other day as we were putting together this presentation.

The average cybersecurity spend for large enterprise is between two and 5 million and then mid, 500 to 2 million and small is 500,000. In general, those are less spending than the average costs of a data breach at 4.2 million a year. And that price has gone up 10% in the last year.

So on average companies spend, or it costs you more to get breached than you spend on your entire cybersecurity budget in one year. But what’s the chances of you have actually been breached? The latest surveys is that 41% of enterprises were breached in 2021. And the average dwell time of those breaches was about 21 days.

So the average dwell time is 21 days. The takeaway is that one you’re spending less on cyber security than it’s actually going to cost you to get breached. Two, there’s at least a 41% chance that you’re going to get breached this year.

So probably in the next two years, you will be breached. And number three, once you are breached, it’s going to be about 21 days on average of dwell time, before that breach is identified. So why is it? It’s the classic defender’s dilemma. As I mentioned earlier, that the attackers have to be right once the defenders have to be right every single time across your entire attack surface.

That is a really difficult position to be in, and it’s a difficult position to be in from both a prevention standpoint and detection standpoint. What we’re here talking about is what we like to call the intelligence gap. So that is the time in between intrusion and breach. But why is it difficult to monitor what’s going on between intrusion and breach during that dwell time? One is 70% of devices are unmanaged two, at least 72% of attacks involve evasion and 67% of traffic as we know is encrypted. And there was some great discussion about that over the last hour or so. So it makes it really difficult to monitor what we call the mid game, which is between intrusion and breach.

But, what I found was really interesting was the spending and if you look at the MITRE attack matrix, which all of us spend a lot of time in It really is very focused on post-compromised only 12% of the tactics and techniques in MITRE are pre intrusion.

And then the rest of it, 88% of those techniques are post-compromised. So we spend a lot of time thinking about how do we prevent intrusions, where a vast majority of the tactics and techniques used by attackers are post intrusion. The other interesting stat was that 75% of our cyber security investments are actually for intrusion prevention, which by the way is very important.

End point defense IDS, firewalls. That’s all very important and it needs to be part of your security posture. I find it very interesting that only 25% of investments are for that post intrusion compromise. So we’re spending, if you connect that to the previous slide we’re spending 75% of our investment on only 12% of those MITRE tactics and techniques.

So the scale is just, it’s pretty far off. And this really goes to the law of diminishing returns from an investment standpoint of how many, if you’re, when you’re thinking every day about how you’re going to spend your next cybersecurity dollar, how are you going to allocate your resources?

You’ve got to think about. If I invested enough in that post-compromised detection capabilities versus all the dollars I’m putting in prevention, because it has to be a balanced between the two.

What are we talking about here? How do you defend the mid game as we’re talking about? We believe one of the most important parts of defending the mid game is to gain visibility into that network traffic, especially the network traffic that’s going east-west within your environment.

As we talked about earlier, the previous speaker talked about the importance of deep packet inspection. And I completely agree with that a hundred percent. One the network doesn’t lie two it’s really important to be able to do behavioral analytics on that network traffic, to be able to understand and gain visibility into that post compromise activity.

Once the intrusion has happened and once you’re in post compromise the script can be flipped, you’re actually talking about monitoring that network behavior and the attacker then has to be right multiple times versus the defender being right multiple times.

Cause as they go through that attack progression, there’s a number of behaviors that can be monitored to look for. Different tactics and techniques across the enterprise to be able to determine that. So everything from recon to privilege escalation, to lateral movement, to data exfiltration. I was looking at this earlier and I found it really interesting.

I was looking through the latest Mandiant and Manny does a fantastic report every year on incidents. And they actually calculate how often tactics and techniques are used based on the MITRE framework in incidents. So it’s a fantastic report that you guys should look through. When you get a chance.

But the data I found interesting is if you think about close post compromise, 16% of incidents. Attackers gain persistence through scheduled tasks and jobs, which that behavior can be monitored at the network level. 29% of incidents attackers use process injection to escalate privileges, and that can be monitored at the network level.

In 32% of incidents, attackers performed internal recon through systems files, directories, and that can be monitored post-compromise. I’ll pick one more. 37% of incidents, attackers use application layer protocols, web, DNS, to communicate with C2. And in 14% of those incidents, the attackers use encrypted channels for that communication.

So what did we learn from that? We learned that almost every single compromise, is post compromise. There’s a number of high value behaviors that can be monitored at the network level to detect breach and to detect intrusion. Two, we learned that a lot of that activity is encrypted, so decryption is important and it’s really important to have the right telemetry . automate that monitoring for you.

Let’s go with a example from an attack and go ahead and build a slide out. A lot of people are familiar with colonial pipeline. It was very important attack from the last several years. And it was attacked from dark side. So during the colonial pipeline attack after initial intrusion, the attacker, behavior was missed by their firewall, by their CASBY by their IDS, by their NOC, by their DLP, EDR, and SIM.

Once that initial intrusion happened, that wasn’t prevented, it ended up costing $153 million for colonial. And as there was five days of downtime. There was a significant ransomware payment and it was a huge business impact to colonial. But what if colonial had that visibility into the post-compromise intrusion?

One of our customers, a major, a large leading home improvement company. I’ll let you guess who that might be was also attacked by dark side, but once the intrusion happened, there was behaviors identified within the SMB protocol. To identify data staging activity, to identify a enumeration activity from bloodhound and to identify some of the ransomware activity.

And so that was identified after post intrusion, but before the breach started to occur. So remediation was able to take place. So in this particular example, there was no downtime. There was no ransomware and there was less than 20,000 files encrypted. So it’s really important.

This kind of puts a point on how important it is to really invest in that mid game. In addition to the investment you’re making on the prevention side.

What does it take to have differentiated prevention or differentiated visibility into the mid game? I’d say one thing I, and I love that we set this up and talked about it earlier is protocol. There’s a wide range. If you look at all the network detection capabilities you have in your stack and in your environment, there’s a wide range of different protocol fluency within those tools. And everything from minor fluency, which could be visibility into NetFlow activity to mid range, which is packet payload, matching and advanced fluency, which can be everything from decryption to TCP, real assembly, to full visibility and PCAP capture.

If you’re trying to build that full level of visibility, it’s not just one or two protocols. It’s everything that includes Microsoft protocols, file transfer protocols, database protocols, decryption protocols, and L seven visibility protocols, everything from SMB to LDAP, to these different databases, to FTP.

These are the protocols that when you’re thinking about lateral movement, when you’re thinking about east-west activity, these are the protocols that these hackers are using. These are the protocols you have to monitor post-compromise. And by the way, you should be looking into your defenses as you’re evaluating new vendors, as your going through and assessing your own set of defenses.

You’ve asked the tough questions, ask how many protocols are monitored as coming detectors. They have built for protocols. That’s really the key to detecting that mid game. So why else is, from a detection standpoint, why is protocol fluency important? I’ll give you three as a person that’s dedicated his life to data science and the analytics.

I’ll give you three reasons. One, it allows broader section coverage. If you look at if you look at the MITRE attack, it’s your, the level of tactics and techniques post compromise that you can actually gain visibility into significantly increases as you increase the number of protocols that you’re monitoring.

Two, it enables detections from a significantly higher fluency. So you’re able to reduce false positives and increase your signal to noise ratio. So if you think about when you’re building machine learning models for detection capabilities, Data is king and being able to build those features on a wide range of protocols and a wide variety of metadata and a wide variety of traffic data that increases the fidelity of your detectors.

So it’s important to really ask the question of how deep that protocol coverage is and how much you’re actually able to monitor both from a detection and the depth of investigation perspective.

Second thing that argue is really important from the visibility into the mid game is decryption. So we mentioned earlier 80 and 90% of network traffic is encrypted 70% of malware campaigns use encryption. If you’re using a tool to try to monitor the mid game that does not have decryption capabilities, it’s really when you’re trying to monitor encrypted traffic, there’s two approaches.

There’s one, one is to decrypt that traffic and look at the decrypted traffic. And the second is encrypted traffic analysis. By the way, we use both approaches. But the problem with encrypted traffic analysis, which is a valuable tool, but the problem with it is it’s it reminds me of what I do when I visit my in-laws or my are my wife’s family in India.

So my wife personal story. My wife’s family moves from India to the U S about 40 years ago. So I’m really blessed when I go to visit India, we Mumbai is where their family is. We don’t stay in hotels. We get to stay with the family. And they’re all from that area. So they speak Marathi was, which is the native dialect or native language from Marathi. And and obviously I don’t even know my wife does. So when we’re there, when we’re in their homes, sharing their homes, sharing, their food, having great family dinners and catching up they’re all speaking. Marathi that actually to me is similar to trying to analyze encrypted traffic without decryption, because I can, I’ve gotten good enough that I can catch things here and there , I know, enough words to be dangerous. I can tell based on body language, you know what they’re trying to say, but you know what. If my wife’s aunt, says something really mean about me, but smiles and nods, I’ll be like great. This is awesome. So it’s a very similar approach.

Just you can’t get the same level of fidelity, the same level of visibility without truly decrypting. And that’s why it’s really important to do both.

The last point about is what it takes to really defend the mid game is high fidelity, advance detection, analytics. A couple of key pieces here. One is I would ask questions. If I was looking at a solution to put in my environment, I would ask where is that analysis being done?

Actually I’d ask two things first. I’d ask what types of detection capabilities do you have? If it’s because there is a lot of different ways to do detection on network traffic. There’s obviously classic IDs looking for known indicators. There’s heuristics, there’s statistical analysis. There’s supervised machine learning.

There’s unsupervised machine learning. There’s deep learning. There’s IOC based detection. So there’s a lot. And by the way, there’s no. Just like at the end point, just like another it’s you, there is different solutions and different approaches for different types of attacks. So it’s really important. That there’s a wide variety of detection capabilities is the first thing I would ask.

And then when you’re thinking about your behavioral analytics, that machine learning and the supervised unsupervised, deep learning. I would look at a couple of things. One I would look at is it cloud-based is a cloud scale because a lot of, it’s fantastic to have it’s to have machine learning, learning, and behavioral analytics, in your data center, on the sensor, close to the network, it’s better than nothing.

But the problem with that is, is that the attack surface and attacks are constantly evolving. And if you have that machine learning in the cloud, Then you’re constantly able to evolve that machine and tune that machine learning to the constantly shifting attack surface two you’re also able to correlate attacks with other customers and other users.

At ExtraHop we have a data science platform that uses threat craft technology to basically correlate and look at attacks across our entire customer base. So thousands of customers we’re looking at we’re anonymously, looking at those attacks, quarterly correlating, those attacks, and constantly improving our machine learning models.

If you’re not doing, if you’re only using on-prem machine learning, then you’re not getting the advantage of that type of those type of analytics. This is a print nightmare attack. And this is shows the benefits of encrypted traffic visibility. So imagine a successful attack of print nightmare compromise. A compromise endpoint is able to connect through SMB to the vulnerable server and gain communication back by the way, almost any network. Any network tool that has visibility into east west lateral movement is able to detect that, both the client and the server are going to require a mediation.

So at that point, you’re just identifying work that needs to be done for the security team, because you’ve already been breached and the damage has already been done.

But here’s where it gets tricky. What about a failed attack? And what about a failed attack where you don’t have a wide set of visibility into into protocols? When that attack fails, You really get no visibility into the traffic flow and you’re not aware that the end point is compromise basically the attackers free to traverse the network to try to attack other servers, but if you have advanced protocol fluancy, With decryption, you’re able to actually identify that attack, whether it was successful or whether it failed. So you’re reducing and you’re able to stop that attack before actually becomes a breach. So your dwell time has reduced and you can initiate remediation before that server gets compromised and you can quarantine that end point to help accelerate your remediation or response. The two things I wanted to talk to you about at the beginning, one is this really important, not just to invest in prevention capabilities, but to post-compromised detection.

It’s the other half of the coin. And by the way, it is the underinvested in part of that coin. Two, I would say post-compromised, not all post-compromised detection at the network level is created equal. It’s really important to high of have high protocol fluency.

It’s really important to have decryption capability and it’s really important to have cloud scale detection and machine. Those are the keys to being able to thwart attacks, to reduce that time to dwell and to really take your defenses to the next level. Thank you very much.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top