Combating Ransomware and APTs with MistNet NDR

Security analyst using MistNet NDR by LogRhythm

“Greetings! Your company network has been hacked. All of your important files have been encrypted!”

Last year NPR revealed that over 65,000 companies received a ransomware note like this, averaging seven attacks per hour. Unfortunately, things appear to be getting worse in 2021.

The New York Times recently reported that between 800 and 1,500 businesses around the world were compromised or affected by a cyberattack in a single day. Security experts claimed this could be the largest attack in history which consists of hackers shutting down systems until a ransom is paid:

 “This is the worst ransomware incident to date, but if we don’t take action, the worst is yet to come,” said Kyle Hanslovan, the Chief Executive of Huntress Labs.

The rise in ransomware is being fueled by its industrialization. Ransomware is being offered as a service by criminal organizations such as REvil, with know-how provided by YouTube tutorials and gang customer support. “Any doofus can be a cybercriminal now,” said Sergei A. Pavlovich, a former hacker who served 10 years in prison in his native Belarus for cybercrimes, in the New York Times. “The intellectual barrier to entry has gotten extremely low.”

NDR to the Rescue

Network detection and response (NDR) offers a proactive way for companies to detect ransomware attacks in real time before they receive the ransom note. Network telemetry provides SecOp teams the best vantage point to follow attackers because it is difficult for actors to cover their tracks with anti-forensics or they may overlook the need to do so. Unfortunately, traditional NDR solutions have some practical drawbacks, such as requiring costly bandwidth to collect the high volumes of data needed for detections or creating a flood of false positives because they lack context for detected indicators of compromise.

MistNet NDR Advantages

MistNet NDR by LogRhythm was designed to provide accurate and real-time detection of ransomware, lateral movement, exfiltration, malware compromise, and other threats. While other NDR solutions rely solely on machine learning applied to single streams of data to detect network security issues, LogRhythm uses hybrid analytics that combine machine learning, rules-based detection, and threat intelligence to analyze network, user, and host activity. This holistic approach provides a true representation of all actors and their activity within the enterprise domain and reduces false positives by over 90 percent.

In addition to automated threat detection capabilities, the built-in MITRE ATT&CK engine of MistNet NDR provides smart hunting of tactics, techniques, and threat groups across multiple attack vectors. Analysts are provided an easy-to-understand security “narrative,” detailing in real-time known ATT&CK tactics, techniques, and threat group signatures. The platform includes detailed descriptions, recommended remediation tips, and reporting tools.

The powerful threat detection and hunting capabilities of MistNet NDR are powered by patent-pending TensorMist-AI™ technology, which uses distributed computing to scale data collection and analytics. This approach avoids traditional NDR scale issues by co-locating analytic processing alongside collection engines in the form of a distributed mesh for big data processing. This provides the ability to collect and enrich security data “on location,” generating exceptionally accurate behavioral models and threat models without having to move any of the data. LogRhythm’s SaaS delivery, combined with this mesh-network analytics processing, creates the ideal SaaS and data collection model that optimizes scale and lowers operating cost.

New EDR and Firewall Integrations for Broader Visibility

Recently LogRhythm added new integrations that strengthen its best-in-class NDR solution and lay the foundation for a broader extended detection and response (XDR) solution.

Our team expanded MistNet NDR capabilities to include integrations with existing endpoint detection and response (EDR) solutions, including CrowdStrike, Carbon Black, and SentinelOne. Beyond EDR, MistNet NDR also integrates with market-leading firewalls for log collection. Analysts can configure these third-party solutions from the MistNet console in a plug & play fashion. These new integrations extend NDR visibility and provide added contextual information to detect threats holistically across endpoints, data centers, and the cloud.

MistNet NDR also provides SmartResponse™ automation actions for market-leading firewalls. Analysts can run firewall actions from the console to respond to incidents. This mitigates advanced persistent threats and malware-infected hosts by preventing network access and shutting down unauthorized services or processes.

Security Versatility for any Use Case

In addition to combating ransomware and APTs, MistNet NDR helps customers address new security use cases for supply chains, public cloud, and IoT/OT. This SaaS-based NDR solution works with existing EDR and firewall solutions to add network visibility and provide threat detection holistically across endpoints, data centers, and the cloud. In combination with the LogRhythm NextGen SIEM Platform, it empowers enterprises to manage their security and compliance needs easily and with the highest return on investment.

To learn more about MistNet NDR, check out this demo video or download the data sheet.