Malicious Traffic: Understanding What Does and Doesn’t Belong on Your Network

Too often, when looking for malicious network traffic, you either search for a known threat actor or investigate anomalous traffic that doesn’t look normal. This reactive approach is time consuming and potentially over-reliant on searching for larger concerns. Fortunately, new solutions use advanced analytics to proactively identify, enrich, and alert to malicious traffic.

Why is this important? Detecting known threat actors is great when it works, but it is similar to signature-based antivirus— which is rigid and unable to detect unknown threats. Simply searching for known threats is only effective for widespread, generalized attacks — and it is not effective for detecting unique, targeted attacks. There’s also an indefinite amount of time before the malicious traffic signature, domain name, or IP makes it into the pattern updates and threat intel feeds from your vendors, meaning an attacker might gain access to your network before you are alerted.

Detecting anomalous traffic can address these weaknesses, but in practice, it depends heavily on how you define anomalous traffic and how quickly you can spot it.

Network engineers, with the help of network monitoring tools such as LogRhythm NDR, can perform generalized anomaly detection based on what you expect to see on a typical corporate network, but this will inevitably result in a lot of false negatives and, likely, some false positives.

However, with more knowledge about the particular organization you’re monitoring, you can greatly reduce both false negatives and false positives.

This requires consuming whatever organizational knowledge is available out of the network, such as:

  • Your organization’s industry
  • How users interact with and behave on your network
  • The technologies deployed
  • Network topology including its segmentation and north/south, east/west traffic flows

In this on-demand webinar, we explore how to analyze your network so that you can learn and understand its traffic patterns and get a handle for what qualifies as normal. You’ll then be able to take this information and look for anomalous traffic, build known threat detections and streamline your network detection and response (NDR) technologies and efforts.

Watch as LogRhythm’s Luis Rico takes a deep dive into a technical network analysis. He will also cover how LogRhythm NDR takes network detection a step beyond limited network traffic analytics. LogRhythm’s NDR employs advanced security analytics, search and visualization techniques, and automation for a wide variety of incident investigation and response tasks.