Lateral movement is hard, if not impossible, for prevention controls to block automatically. Early detection by your Security Team is an essential strategy to shut down the lateral movement. The longer time it takes to detect it, the more damage is done, resulting in far greater investigation and recovery costs.
Even where organisations collect the necessary data needed to uncover lateral movement, the traditional problem is properly using it. Tools like Security Incident and Event Management (SIEM) can normalise and correlate data, but they are better suited to detecting clear cyber attacks. They are as well suited at profiling activity over or accurately detecting anomalies associated with lateral movement. As a result, their correlation rules raise too many alerts, and most of these alerts ultimately get ignored by Security Operations teams.
XDR agents, such as those used by the Security Operations Center are uniquely designed to quickly and accurately identify attackers as they move through the compromised network.
The XDR agent monitors the internal network traffic and endpoint events and profiles the normal patterns of internal, host-to-host, communication, application usage, file share usage, credential usage, administrative behaviour, executable and process prevalence, and more. They also can detect common credential theft tools like Mimikatz and hacking techniques like “pass-the-hash” and look for tell tale signs of compromise on systems such as lateral movement.