Blogs

Early Threat Detection and Automated Incident Response

By Lukas posted 6 days ago

  

Networks are undergoing fundamental changes fuelled by the accelerated adoption of BYOD, the Internet of Things, and the cloud-first strategy. The new dynamic affects the efficiency of traditional networking monitoring stacks and brings security challenges for IT infrastructure as they adapt to the expanding boundaries of traditional perimeters. Hand in hand with benefits that bring greater agility and scalability, organizations now battle an expanding attack surface, coupled with increasingly sophisticated threats and shortage of skilled security practitioners. These challenges intensify pressure on organizations that want to defend their critical assets confidently.

Actionable Intelligence is Imperative

In overcoming these challenges, it turns out that since it is not possible to protect all the assets and prevent every breach, the traditional “prevent and protect” mindset must shift towards “detect and respond”. Simply put, it is time to accept that breaches will happen and businesses should be empowered with detection and response capabilities to be able to remediate immediately and prevent serious damage.

A member of Fortinet’s Open Fabric Ecosystem, Flowmon automates network traffic monitoring and analysis to enable IT and security teams to quickly learn about incidents and anomalies, and understand their context, impact, magnitude, and root cause.

Key Fortinet and Flowmon Integrations

Fortinet and Flowmon have jointly developed integrations that empower teams with actionable visibility across complex environments to dramatically reduce attackers' chances to evade detection and accomplish their goals.
Flowmon-Fortinet integrated security solution

Multilayered Security

The Flowmon-FortiGate joint solution covers both north-south and east-west traffic, including cloud and encrypted traffic, giving administrators time to detect and respond at every stage of an attack, from initial access to data exfiltration.

When FortiGate watches the perimeter and protects against external threats, Flowmon analyzes traffic in the network to detect unknown and insider threats that originate from within. Once Flowmon detects a sign of a threat (e.g., reconnaissance or lateral movement of an attacker), it sends a message to FortiGate, which in turn blocks the communication on the perimeter.

We’ll demonstrate below how the mechanics of the joint solution will play out in a real scenario. 

Malware Detection and Automated Blocking Use case

Say, there is a malware-infected laptop in the network and the initial intrusion was performed when the laptop was connected from home during the corona-crisis. There was no perimeter security to prevent this and once the laptop is back in the corporate network, it starts communicating with the botnet command & control center to get instructions on further activity. As a result, the laptop starts scanning the network to identify potential victims to the spread the malware.

Before any infiltration attempt was successful, Flowmon had connected to FortiGate and provided instruction to quarantine the infected laptop with IP address 10.0.0.2. The new rule once successfully implemented is available to view in the FortiGate Quarantine Monitor (see fig 2).

Communication with blacklisted host detected

Fig: 2 Communication with blacklisted host detected

This action blocks the network activity on the perimeter (north-south) where the FortiGate firewall is located . Blocking the north-south traffic cuts off the communication with the botnet command & control center or attacker remote access channel and prevents data exfiltration or additional download of malicious content. This action prevents the most severe damage giving security teams time to contain the threat.

Detect. Respond. Optimize.

The goal of partnership is to create a highly automated security system to help admins to protect their assets from both external and internal threats.

Together, the joint solution  creates space for proper post-compromise forensics and, by extension, optimizes the organization’s entire security. Combining a built-in analytical workflow in Flowmon and automating logging of  events in FortiSIEM, security analysts get alerted to true cases to investigate the root causes, report the incidents, and adjust their existing security measures.

You can download the Flowmon - FortiGate, and Flowmon - FortiSIEM integration packages on the Flowmon Portal.

Learn more in this whitepaper or watch a dedicated technical webinar on this integration: https://www2.flowmon.com/fortigate-integration-video-yt

0 comments
35 views

Permalink