Bridging the gap between COTS tool alerting and raw data analysis



Similar documents
DPI and Metadata for Cybersecurity Applications

Introducing IBM s Advanced Threat Protection Platform

THE EVOLUTION OF SIEM

IBM Security IBM Corporation IBM Corporation

SANS Top 20 Critical Controls for Effective Cyber Defense

QRadar SIEM and FireEye MPS Integration

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

Security strategies to stay off the Børsen front page

10 Things Every Web Application Firewall Should Provide Share this ebook

End-user Security Analytics Strengthens Protection with ArcSight

The Hillstone and Trend Micro Joint Solution

The Value of QRadar QFlow and QRadar VFlow for Security Intelligence

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

IBM QRadar Security Intelligence April 2013

First Line of Defense

Network Performance + Security Monitoring

Detect & Investigate Threats. OVERVIEW

Network Security Monitoring: Looking Beyond the Network

The SIEM Evaluator s Guide

First Line of Defense to Protect Critical Infrastructure

Extreme Networks: A SOLUTION WHITE PAPER

Rashmi Knowles Chief Security Architect EMEA

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Breach Found. Did It Hurt?

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Defending Against Cyber Attacks with SessionLevel Network Security

IBM Security QRadar QFlow Collector appliances for security intelligence

Extreme Networks Security Analytics G2 Vulnerability Manager

Cyber Situational Awareness for Enterprise Security

Integrating MSS, SEP and NGFW to catch targeted APTs

IBM SECURITY QRADAR INCIDENT FORENSICS

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

Discover & Investigate Advanced Threats. OVERVIEW

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Going Beyond Deep Packet Inspection (DPI) Software on Intel Architecture

Metric Matters. Dain Perkins, CISSP

Going Beyond Deep Packet Inspection (DPI) Software on Intel Architecture

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

Network Performance Monitoring at Minimal Capex

On-Premises DDoS Mitigation for the Enterprise

Gaining Operational Efficiencies with the Enterasys S-Series

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

TOP REASONS WHY SIEM CAN T PROTECT YOUR DATA FROM INSIDER THREAT

Intro to Firewalls. Summary

Unified Security, ATP and more

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

First Line of Defense

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

What s New in Security Analytics Be the Hunter.. Not the Hunted

1 Introduction Product Description Strengths and Challenges Copyright... 5

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Cisco Remote Management Services for Security

IBM Security QRadar Vulnerability Manager

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

Scalable Extraction, Aggregation, and Response to Network Intelligence

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

Analyzing HTTP/HTTPS Traffic Logs

[state of the internet] / SEO Attacks. Threat Advisory: Continuous Uptick in SEO Attacks

End-to-End Application Security from the Cloud

High End Information Security Services

Comprehensive Advanced Threat Defense

Non-Geeks Guide to. Network Threat Prevention

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

IBM Security X-Force Threat Intelligence

Doris Yang Vectra Networks, Inc. June 16, 2015 The World Ahead

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

IndusGuard Web Application Firewall Test Drive User Registration

Cybersecurity and internal audit. August 15, 2014

The Purview Solution Integration With Splunk

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

Information Technology Policy

Getting Ahead of Advanced Threats

QRadar SIEM and Zscaler Nanolog Streaming Service

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

A New Perspective on Protecting Critical Networks from Attack:

Analytics, Big Data, & Threat Intelligence: How Security is Transforming

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

IBM Security Intelligence Strategy

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

Threat Center. Real-time multi-level threat detection, analysis, and automated remediation

SYMANTEC MANAGED SECURITY SERVICES. Superior information security delivered with exceptional value.

Transcription:

Article Bridging the gap between COTS tool alerting and raw data analysis An article on how the use of metadata in cybersecurity solutions raises the situational awareness of network activity, leading to faster detection and mitigation of data breaches Kurt Neumann - Director, Cybersecurity Applications, Qosmos April 2012 Executive Summary Effective cyberdefense requires security teams to identify and validate traffic events quickly. Until now, they had to choose between searching through system logs, NetFlow, or full packet captures. New network probes leveraging the advantages of traffic metadata now enable NBAD, SIEM, DDoS and Network Analytics solutions to search though data faster with fewer demands on users.

According to the Verizon 2011 Data Breach Investigations Report (a study conducted by the Verizon RISK Team in cooperation with the U.S. Secret Service and the Dutch National High Tech Crime Unit), nearly 75% of breaches take weeks to months to discover and 70% take days to weeks to contain. Alarmingly, 86% of data beaches are discovered by third parties (customers and partners not the guarding Security Operations Center). This highlights the need for situational awareness of network activity and the ability to distinguish bad from good traffic in minimal time, which is now a necessary pillar of effective cyberdefense. In today s world, organizations must assume that their networks will be compromised. In order to accelerate breach detection and mitigation, they need to improve their understanding and monitoring of normal network behavior. Vendors of cybersecurity solutions are the most likely sources for help. The effectiveness of products for next-generation firewalls, NBAD, SIEM, DDoS and Network Analytics can be dramatically improved by incorporating the use of traffic metadata into solutions. Metadata strengthens solutions by providing behavioral context to traffic monitoring. As Qosmos demonstrates with its new line of DeepFlow cybersecurity probes, vendors can use metadata to bridge the gap between COTS tool alerting and the raw data analysis that security teams still must perform. The need for situational awareness Organizations today have more network data to analyze and less certainty about what data they need to analyze. Data sets are more complex, making it harder to extract meaningful information. Security teams can no longer afford to police all their data manually and must outsource all or part of their security analysis to third parties, where analysis can easily lose context for a specific business environment or security objective. The volume of data and proliferation of threats change how organizations should now approach cyberdefense. Recommendations from cybersecurity experts prioritize situational awareness and breach detection over impossible 100% prevention. Strategy should emphasize network intelligence gathering and analysis, and smart network monitoring as the best defense against threats. The gap between COTS tools and raw data analysis Figure 1 shows a representative example of conventional security analysis. Billions of raw data elements collected over a period of time are screened in stages down to a few thousand investigated events. Within the Security Operations Center, traffic records are analyzed using conventional tools of choice. The time and resources required to validate data, examine events, identify breaches and mitigate them can take weeks to months at substantial costs for the tools and talent. This is largely due to a gap between conventional COTS tools and the manual analysis performed by security teams (Figure 2). The inability to search for data patterns in the context of user behavior and application usage makes useful pattern detection (and quick breach mitigation) difficult. www.qosmos.com 2

Figure 1. Conventional Security Analysis Figure 2. Gap between COTS Tools and Raw Data Analysis www.qosmos.com 3

Shifting mindsets to situational awareness Improving the situational awareness of cybersecurity requires a shift in mindsets among vendors and their customers. Instead of preventing attacks, the premise should be that breaches will occur. Objectives should shift to detecting breaches faster by understanding the behavior and use of applications in traffic flows to recognize anomalies. Instead of thinking of cybersecurity as a discrete solution, the approach should be the integration of security with applications and web logs. Instead of relying only on protocol signatures to monitor traffic, vendors must enable products with real-time visibility into traffic patterns based on user behavior and application usage. The value of traffic metadata What security teams need, and what vendors should seek to provide, are capabilities to examine traffic data with the quality of full packet inspection coupled with indexed searching of protocol attributes to find meaningful user and application behavior patterns. This would improve the situational awareness of customers cyberdefense, and is within reach for vendors through the use of traffic metadata. Metadata can bridge the gap between conventional tools and raw analysis by enabling detection and differentiation of good and bad behavior patterns in network traffic flows. The advantages of metadata for vendors of cybersecurity solutions and their customers include: Full classification and decoding of network protocols Layers 4-7, describing as many protocol and application attributes as needed Extraction from traffic in real time without the need for data aggregation, formatting and database searches (making metadata more precise, faster and easier to use than data logs) Analysis of traffic without the need to store full, raw data packets, reducing storage requirements by a ratio of 1000:1, compared to processing packet captures and/or Syslog Application and session awareness, and capable of tracking multiple flows with a single protocol (e.g. an FTP connection and data channels) Figure 3 compares records from Netflow, an industry standard for IP traffic monitoring, before and after enhancement with metadata as used in Qosmos DeepFlow probe appliances. Netflow alone is fast and repeatable but, because it is neither application- nor protocol-aware, the standard Netflow record doesn t disclose potential threats. Security specialists must still screen and analyze full data packets and logs manually to find behavioral context using increasingly outdated tools. Event correlations and differentiation of abnormal from normal behavior are difficult. The Qosmos metadata parse traffic in real time for user behavior and application usage, providing insight into what actually occurred between source and destination. In Figure 3, the metadata additions to the Netflow record in this example reveal: 1. A referring party (chicaroo.cc) Why would chicaroo.cc be referring users to this website? 2. A suspicious URL (http://www.golf.com/failed login.php) and no cookies Why would anyone go directly to a failed login page without a session cookie? 3. A suspicious browser (curl2.x) not Internet Explorer, Firefox or Chrome, etc., but a command line version of a browser typically used in malicious scripts. 4. The server code is giving a positive result (200) despite the record s irregularities Is someone exploiting a vulnerability? www.qosmos.com 4

Without the metadata, the Netflow record shows how much data was transferred, between what ports and when, but security specialists must still make assumptions when screening traffic data for suspicious activity. The same record enhanced by the Qosmos metadata tells security specialists what actually transpired in the communication. It enables accurate real-time traffic monitoring of both normal and abnormal behavior i.e. situational awareness. Security specialists can work with useful pattern detection and know specifically which records to investigate. In this way, the use of metadata can reduce breach detection from weeks and months to hours and minutes. Figure 3. Extended Traffic Visibility into Layers 4-7 with Metadata The impact on network security Raising situational awareness for effective network protection requires security teams to identify and validate events quickly. Until now, they had the choice between searching through system logs, NetFlow, or full packet captures. Traffic metadata, as designed by Qosmos into its DeepFlow cybersecurity probes, combine the essence of all three into a single message flow, normalized to be easily used by SIEM, NBAD, DDoS, and Network Analytics tools. As shown in Figure 4, vendors can enable their customers to search through data faster, and with fewer IT demands, increasing their value to customers as partners in cyberdefense. www.qosmos.com 5

Figure 4. Deep, fast traffic visibility with fewer IT demands For more information: marketing@qosmos.com www.qosmos.com www.qosmos.com 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information