How Kentik Reduces the Likelihood of a Full-blown Cyberattack Before It Happens
Summary
Organizations are under constant attack, and it’s critical to reduce the time it takes to detect attacks to minimize their cost. This first article in our new security series dives deep into how Kentik helps customers before, during, and after a cyberattack.
This is part 1 of 3 in a blog series about how to fortify your security posture with Kentik. Also see part 2.
Kentik is crucial in strengthening the security posture for our customers before, during, and after a cyberattack. We do this by using deeply enriched network data from across your entire data center, cloud, and container footprint to prevent, detect, and respond to cyber threats.
- Prevent: Kentik reduces the likelihood of a full-blown attack before it happens.
- Detect: Kentik helps you reduce the blast radius by detecting attacks faster when they do occur.
- Respond: Kentik uses real-time network data to kick off mitigation efforts and, when the dust settles, obtain a deep understanding of what happened so you can prevent future attacks.
In Part 1 of this series, we will look specifically at how Kentik reduces the likelihood of a full-blown attack before it happens.
Before we get into how, let’s look at why.
Here is some data that is scaring the pants off of CIOs right now.
- The average cost of a data breach globally is $4.35 million dollars, or $165/record. In the US, the cost of a breach rises 2x to $9.44 million.
- It only takes threat actors 84 minutes on average to pivot deeper into your network after an initial compromise. Responding faster to an initial penetration is essential to prevent a small breach from turning into a multi-million liability.
- And yet it takes 277 days to identify and contain a breach on average. That is almost nine months! The bulk of that time is on the identification side, with the average breach taking 207 days to identify.
With every organization under constant attack, it is critical to shrink the time it takes to detect attacks in order to minimize their cost. Within the context of this blog, an attack assumes not only that your network has been penetrated, but also that an attacker has been able to pivot and do something with their newfound foothold.
With that in mind, here is a summary of how Kentik helps prevent full-blown attacks in the first place.
Verify and enforce network policy
Many attacks can be prevented simply by verifying and enforcing the network policy that you already have in place. It’s one thing to say, “My Kubernetes clusters should not be communicating with external IP addresses,” or “unencrypted HTTP or FTP traffic should not appear in these specific network zones.” It is another thing to enforce these rules.
With Kentik, you can easily do just that. For example, you can use Kentik to detect and alert on unintended connections which might be a potential threat. Remember, it only takes 84 minutes on average for an attacker to pivot from a compromised host. That HTTP traffic in a sensitive area of your network might be a sloppy attacker who you can shut down well before they can make an impact.
For example, one Kentik customer recently used our network observability platform to identify spoofed traffic coming from one of their customers before it became a problem. To do this, they simply set up filters to capture outbound internal network traffic with source addresses that did not match expected internal IP ranges. With this real-time monitoring and alerting in place, they were able to investigate potential threats long before the attacker could pivot.
Traffic monitoring
What does normal network traffic look like? This is an incredibly important question to answer if you are to detect abnormalities. Kentik can continuously monitor your traffic, providing visibility into normal network behavior. This helps establish a baseline and detect any abnormal activities or patterns indicating a potential attack.
Integrated threat feeds
Once you know what normal looks like, Kentik can start to look for aberrations. One way we do this is by enriching flow records with data from threat intelligence feeds, identifying threats such as botnet command and control servers, malware distribution points, phishing websites, and spam sources.
One of Kentik’s airline customers was impressed that our threat feed picked up one of their internal tools scanning across their AWS VPCs, where none of their other monitoring tools alerted them on the traffic patterns. In security, granularity really matters.
Network data enrichment
Speaking on granularity, Kentik goes beyond the basics of tracking IP, port, and protocol by providing deep multi-dimensional enrichment of network data like NetFlow and SNMP to detect threats faster. Kentik customers can even do enrichment based on their own data sources so that they have the most relevant context.
With Kentik, any type of metadata can be used to provide additional context to flows. Some examples include geoIPS, the service being communicated with, AS names, or cloud provider metadata. Enrichment sources can include any arbitrary logs/event data or endpoint and application-level telemetry.
“In a DDoS attack you want to look at traffic volumes, but with Kentik we also can look at source IPs, AS numbers, and other metrics to see if it’s a distributed attack. This is so easy to do in Kentik.”
– Jurriën Rasing, Group Product Manager for Platform Engineering
Anomaly detection
With a baseline established using multi-dimensional sources, Kentik can identify anomalous behavior or deviations from normal network patterns, such as traffic to/from banned or embargoed countries or domains. This enables faster detection of potential security threats before they can escalate into full-blown attacks.
Proactive threat hunting
Kentik’s advanced network analytics capabilities allow security teams to perform proactive threat hunting. They can search for indicators of compromise (IOCs), analyze historical data, and identify potential vulnerabilities or weak points in the network infrastructure. This helps in fortifying the security posture and addressing vulnerabilities proactively.
For example, let’s say your DevOps team has completed a CI/CD project which no longer requires engineers to SSH into individual machines to conduct deployments. Well, if you see SSH connections over port 22 still happening, it is worth investigating.
With rich sources of context in the form of enriched network data at their fingertips, network and security teams can use Kentik to pinpoint vulnerabilities when they suspect they might be under attack.
Conclusion
This blog could have been titled “An ounce of prevention is worth a pound of cure.” If the average breach takes nine months to detect and costs nearly $5 million, it is worth asking, “Is my organization doing enough to prevent breaches in the first place?”
This blog post has explored six concrete ways that Kentik helps mitigate attacks in the first place. Our network observability platform is a powerful tool in the hands of security-minded network administrators and/or security teams to pinpoint vulnerabilities when they suspect they might be under attack. But what if an attack does occur? Kentik can still help, and that is what we will explore in our next blog, including how Kentik can help identify the attack source so teams can respond more effectively.
