Smart PCAP optimizes threat hunting and triage efforts
Full data privacy compliance with on-premises storage for packet capture, metadata, and alerts
Significant cost savings through hardware-agnostic go-to-market strategy
Seamless integration with existing SIEM and SOAR environments
Easy identification and tracking of major network incidents

Challenge

Create more contextual visibility to detect cyber threats without flooding the system with false positives that slow down performance.

Details

Requirement for deeper and more contextual cyber threat visibility

This organization employs more than 100,000 people, producing and selling a wide range of consumer goods. Although it has a mature security operations center (SOC), its security team felt it needed more contextual visibility to make sure no crucial cyber threat information was missed. The team’s security architect explains further: “We are committed to our Zero Trust journey with real-time network monitoring and controls to identify and stop malicious activity. We have a sophisticated security information and event management (SIEM) solution but were essentially still relying on traditional network security to detect cyber threats. To address a flat network design, lack of access controls, and possibly over-permissive firewall rules, we felt we needed an advanced network detection and response solution to gain the visibility we were lacking.”

Having evaluated two potential solutions in this space, the organization found that the requirements it initially thought were needed changed as the team learned more about different capabilities. For instance, packet capture (PCAP) is essential to analyze the network’s raw packet data. In a large environment such as this, with millions of network flows every day, the team is at risk of being flooded with many false positives. Network Detection & Response (NDR) combines detection, forensic analysis, and proactive threat hunting to provide enterprise security teams with full visibility. Unlike the other solutions, it includes smart PCAP to provide flow detail to expedite alert triage. When unusual network activity is detected, such as significant communications with an unknown server or conviction of a potentially malicious file, a smart PCAP creation is triggered. This simultaneously and intelligently begins to target the packets in the stream of known interest. This enables SOCs to search the right packets immediately after receiving an alert, optimizing their threat hunting and triage efforts.

We started to measure the number of major incidents that were identified and confirmed within our network. In the last 12 months since we installed the NDR solution, we identified over 200 of these issues that have been assigned priority levels and are currently in active assessment by our cyber threat response team.

Security Architect
Major Consumer Goods Corporation

Successful POC and advantageous pricing model

“After learning what PCAP could do for us, it became a key requirement that was easily met by NDR,” says the security architect. “We also particularly appreciated that the OpenText solution is designed with federal government clients in mind, where security is paramount and the solution often has to operate in an air-gapped environment, with no direct connection to external networks. Due to the sensitive nature of data traversing our network, we require on-premises storage for packet capture and metadata. In a global operation such as ours, this prevents compliance issues related to PII and our own proprietary data.”

A proof-of-concept (POC) enabled the organization to explore NDR further and discover how best to leverage the different components within a global environment. The OpenText Cybersecurity experts worked closely with the security team, configuring the NDR solution within their architecture and, through regular calls, explaining the key features around the available analytics and metadata. The POC experience gave the team a better understanding of the scalability of NDR, which was an important requirement for this organization, as the deployment spans multiple geographical locations. The cost of ownership for NDR is typically lower than for alternative solutions, as clients can purchase and use their own hardware rather than paying a premium for hardware included within the network detection and response solution. Most large organizations have volume discount deals with their existing hardware vendors that can easily be leveraged with an NDR deployment.

Following the successful POC, the decision to go with the NDR solution was straightforward, according to the security architect: “We received excellent support and engagement from OpenText during the POC. Their simple pricing model meant that we didn’t need to procure dedicated appliances to utilize NDR, and instead could easily deploy it on standard bare metal servers, hypervisor-hosted virtual machines, and in the cloud. We tailored the NDR solution to our specific requirements, leveraging custom signatures, use-cases, and advanced data tuning policies. From day one, this gave us the ability to scan, alert, and create rich metadata on tens of gigabytes of traffic without significant performance issues."

NDR gave us the increased network visibility that we needed, while never compromising our data security. Combined with a hardware-agnostic go-to-market strategy and a very advantageous pricing model, we are delighted with our choice. We estimate that our partnership with OpenText will ultimately save us many hundreds of thousands of dollars.

Security Architect
Major Consumer Goods Corporation

Effective integration capabilities and substantial cost savings

One of NDR’s strengths is its ability to seamlessly integrate with existing environments. Within this organization, it is integrated with the existing SIEM and security orchestration, automation, and response (SOAR) infrastructure. The SIEM integration relies on raw JSON log exports of all alerts generated by the system. The integration of the NDR solution with the company’s SOAR is based on specific alert aggregation queries and dedicated API calls to provide SOC analysts with a holistic view of any issue, including alert data for all signatures violated by a specific host. This delivers downstream visibility to easily optimize response workflows.

The increased visibility soon began to deliver results. “We started to measure the number of major incidents that were identified and confirmed within our network,” comments the security architect. “This could range from unencrypted traffic to unauthorized applications that were downloaded. In the last 12 months since we installed the NDR solution, we identified over 200 of these issues that have been assigned priority levels and are currently in active assessment by our cyber threat response team.”

He concludes: “NDR gave us the increased network visibility that we needed, while never compromising our data security. Combined with a hardware-agnostic go-to-market strategy and a very advantageous pricing model, we are delighted with our choice. We estimate that our partnership with OpenText will ultimately save us many hundreds of thousands of dollars.”