Anomalies and Events: To detect when anomalous and potentially suspicious activity is occurring, NIST recommends building a baseline of network operations and expected data flows for users and systems. Edgewise automatically discovers, maps, and analyzes all communicating applications and services and communication pathways on your networks in real time, then applies machine learning to baseline statistically normal versus abnormal behavior. Doing so helps organizations understand:
- What connections are possible within the network versus what is required by the business (in other words, the level of overexposure presented by the network);
- When communications that fall outside of the established baselines occur.
This assessment also provides the necessary information to establish when a security event may be happening, such as port scanning, lateral movement, or data exfiltration. Unlike traditional IDS or network security, which may only provide basic IP address information which requires further investigation to decipher, Edgewise provides the exact resources involved in any anomalous activity, including the host(s) and application(s) involved in the incident.
While anomalous behavior might not necessarily indicate a security event, when suspicious activity is detected Edgewise alerts administrators and provides the capability to immediately block access or quarantine a system in one click, thereby lowering the possibility of malware propagation or unauthorized access to applications or services.
As a kernel-level agent, Edgewise collects and processes data from the entire network in which it is installed. This system-wide view provides unprecedented visibility into what’s happening on the network at any point in time, which means that when unauthorized access is requested, when malware attempts to communicate, or if other unusual activity is detected, it is instantly highlighted. To detect when malware is communicating on the network, Edgewise uses identity fingerprinting and symmetric identity verification.
Additionally, Edgewise checks all customers’ communicating applications and services against more than 40 industry-leading virus scanners to detect the presence of known malware. If known malware is found in any applications or services, Edgewise alerts the user and ensures that communication policies are not built, preventing unapproved software from communicating.
Security Continuous Monitoring: Edgewise monitors every network communication attempt to detect potentially harmful cybersecurity activity, whether that means looking for malware or an application that is trying to connect to a host to which it has never connected before. As a zero trust platform, all applications and services are verified by their identity fingerprint before they are allowed to send or receive communication, which means that Edgewise is able to automatically identify malicious code, attempted unauthorized access, and even new software deployed into the environment in real time — because unapproved applications and services trigger an alert. Using machine learning to understand normal communications patterns, Edgewise constantly evolves its algorithms that help detect (and ultimately prevent) cybersecurity events which occur as a result of an intrusion.
Detection Processes: Under the CSF, this category focuses on how organizations define, enforce, test, and communicate processes around event detection. While this category does not map directly to the Edgewise platform, Edgewise’s mapping technology, visualization tool, and risk assessment functionality provide reliable insight into what’s happening uniformly across any network environment, which is a key element of detecting anomalous events. As a routine practice, Edgewise also test our own technology before any new release to ensure it’s working as intended.
The wrap up
Using Edgewise, network, security, and operations teams always have a current view into application and service communications happening on and across their organization’s networks. This unprecedented level of visibility coupled with baseline monitoring allows companies to quickly and easily detect potential attacks and attacks in progress.
In the next post we’ll cover how Edgewise capabilities align with the NIST CSF “Respond” Core Function to help companies respond to network compromise before affecting significant damage.