Threat Detection and Response in Azure Environments
2021-09-22 | 4 min read
For years now, Network Detection and Response (NDR) has been in use for on-premise enterprise environments, and many consider NDR the gold standard for detecting anomalies and security threats. NDR uses network packets (sometimes called wire data) as an essential source of data to analyze since they provide the most complete information of any data source, far beyond what flows, logs, polling, and APIs do.
In recent years, many enterprises have begun to move some (or all) of their applications to the cloud. When doing so, they’ve encountered gaps in their ability to gather wire data for analysis by NDR (more on this in a minute). Many vendors of cloud security analytics have focused on metadata-based analytics solutions, partly because metadata is more accessible to collect than wire data in the cloud. Consequently organizations that have come to depend on the detail offered by analyzing packets have discovered they lost the more detailed detections they’ve come to rely on in the past.
The cloud providers have begun to respond to this concern, with some offering packet mirror capabilities as part of their service. However, these offerings have caveats and vary significantly in the completeness and features of their offerings compared with packet collection techniques used by on-premise enterprises. For example, Microsoft Azure currently offers no packet mirroring service. Several years ago, Azure did have a beta trial of a virtual tapping service, but it was discontinued, and Microsoft hasn’t yet announced plans for an alternative.
Fortunately, enterprises moving applications to Azure have an alternative to collect wire data and deliver it to NDR for analysis. Keysight CloudLens offers a complete packet collection service, which can deliver copies of packets from Azure environments to cloud based NDR analysis tools (e.g. Vectra Cognito). CloudLens includes features which on-premise enterprises have come to depend on, such as packet replication, aggregation, filtering, and more, ensuring NDR tools get all the data they need, but not using resources where they aren’t required. Furthermore, CloudLens work independently of the Cloud providers network configuration, and as such, is shielded from network service changes implemented by the cloud provider. It works in Azure even though they have no virtual tapping service in the network. And as an added benefit CloudLens also works consistently in a multi-cloud environment (e.g. Azure/AWS/GCP).
Customers of NDR tools love CloudLens because it offers them the data they need to continue the rich and detailed anomaly detection and security threat detection that packets provide.
“The Vectra Cognito Platform is an AI-driven threat detection and response solution that can leverage the raw packet data that Keysight CloudLens provides to alert and stop ransomware and nation-state attacks,” Says Sachin Saranathan, Head of Technology Alliances and Ecosystems at Vectra. “Together with Keysight, we accelerate security investigations with high fidelity and security-enriched data, helping SOC teams to resolve security incidents rapidly and comprehensively, with zero compromises.”