The "Mythos Era": Are We Drowning in Logs but Starving for Context?
Saw Richard Bejtlich’s latest article on Hacker News regarding the "Mythos Era," and it really hits home. The premise is that despite having massive amounts of telemetry, we still struggle to answer the fundamental "What happened?" during an incident. We’ve become overly reliant on alert-based triage.
In my experience, an EDR alert might tell you a script ran, but it often misses the network context—did it beacon out? Did it perform lateral movement? This is where NDR (Network Detection and Response) becomes non-negotiable. It provides the ground truth when endpoint agents fail or get bypassed.
I've been trying to advocate for better visibility into East-West traffic. For example, spotting a workstation talking to a non-Domain Controller on port 445 is usually a red flag for SMB exploitation attempts or unauthorized lateral movement.
Here is a simple KQL query I’ve been using to hunt for anomalies that EDR might miss if the process injection is memory-only or the agent is suppressed:
DeviceNetworkEvents
| where ActionType == "InboundConnection"
| where RemotePort == 445
| where InitiatingProcessFileName !in ("System", "svchost.exe", "lsass.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| summarize Count=count() by DeviceName, RemoteIP
How are you all handling the visibility gap? Are you investing in commercial NDR solutions, or building out homegrown Zeek/Suricata stacks to supplement your SIEM?
Totally agree with Bejtlich here. We've been rolling out a commercial NDR tool alongside our EDR for the past six months, and the correlation has been eye-opening. We caught a few instances of PowerShell reverse shells that never triggered an endpoint alert because the attacker lived entirely in memory. The network metadata doesn't lie.
Commercial NDR is great if you have the budget, but for smaller teams, nothing beats a well-tuned Zeek (Bro) instance. We pipe our conn.log and dns.log directly into our ELK stack. You can get 80% of the value for 0% of the license cost if you're willing to write a few JSON parsers.
The issue I often face is encryption. With 90% of traffic being HTTPS, NDR visibility into the payload is gone unless you're doing SSL/TLS inspection, which brings its own headache. How are you folks handling the decryption overhead without killing your network performance?
Eve raises a valid point about encryption. When NDR hits that wall, I pivot to Sysmon for host-level network correlation. By logging network connections, we can map a beaconing IP back to a specific Process ID. This confirms if the traffic is truly malicious or just a browser update.
I often run a query like this to spot outliers:
DeviceNetworkEvents
| where RemotePort == 443
| summarize dcount(RemoteIP) by InitiatingProcessFileName, InitiatingProcessCommandLine
This helps separate standard application traffic from hidden C2 channels.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access