Netography Uses Labels and Tags to Provide Security Context

Netography today added support for context labels and tagging to a software-as-a-service (SaaS) platform that provides deep packet inspection capabilities to identify cybersecurity threats in near-real-time.

Netography CEO Martin Roesch said labels and tags will make it easier for cybersecurity teams to use flow logs to visualize and analyze network traffic by application, location, compliance groups or any other schema.

The Netography Fusion platform replaces deep packet inspection appliances with a cloud service that collects flow logs from any type of network to detect cybersecurity threats in near-real-time. The addition of labels and tags will make it easier to identify what types of applications or specific end users are being impacted by those threats using the Netograpy Query Language (NQL), said Roesch.

It then becomes simpler to determine whether a threat is, for example, targeted specifically to end users that all work in the accounting department and then apply the appropriate policies to thwart it, he added.

The Netography Fusion platform also provides visualization and graphing interfaces to enable security teams to identify the blast radius of an attack, said Roesch. That’s critical given the volume of data that cybersecurity teams are being required to analyze to identify threats, he noted.

Finally, that capability can also enable IT teams to streamline audit processes because proof of segmentation can easily be surfaced, added Roesch.

Netography has been making a case for an “atomized” network that enables IT teams to manage and secure networks that span multiple on-premises and cloud computing environments whether they are accessed from the office or home. Traditional appliances are no longer able to see every packet moving across multiple networks. Endpoint detection and response (EDR) platforms can also have blind spots given the number of networks involved. The Netography approach operates at a level low enough to apply metadata to identify anomalies in near-real-time, said Roesch.

Most cybersecurity teams today are inundated with cybersecurity alerts that generally lack context. As a result, attacks may be ignored simply because cybersecurity teams are unable to easily identify the root cause of the storm of alerts. Before too long, many of the alerts generated are simply ignored until it becomes apparent that a cyberattack is either underway or, more likely, has already occurred.

In general, the most reliable source of anomalous activity on a network are flow logs. The challenge has been finding a way to capture and analyze that data fast enough to enable cybersecurity teams to effectively respond to threats in real-time.

It’s not clear how focused cybersecurity teams are on flow logs, but as more responsibility for security operations shifts to the networking team, it won’t be long before a discussion about the most reliable source of intrusion data begins. Networking professionals have always viewed packets and logs as being the ultimate source of truth in terms of identifying application behavior. That approach is now being extended to also address security issues, and it might prove much simpler to apply and, ultimately, maintain.

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. Sponsorships … Read More