WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

Transcription

1 WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION A Novetta Cyber Analytics Brief

2 Why SIEMs with advanced network-traffic analytics is a powerful combination. INTRODUCTION Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility and awareness, filling a critical gap in today s enterprise cyber security toolset. With queries that take only seconds even at Petabyte scale the solution enables analysts to receive comprehensive answers to complex questions at the speed of thought, then instantly access the ground truth network traffic needed for alert triage, incident response and hunting. The solution dramatically increases the efficiency and effectiveness of IT security staff and threat responders by providing them with the right information when they need it. Security Information and Event Management solutions - SIEMs - have become quite commonplace within cyber security operations today, and because of this, there is a lot of confusion as to exactly what a SIEM is versus Novetta Cyber Analytics. The short answer is that SIEMs aggregate, correlate and analyze events, logs and alerts produced by machines, while Novetta Cyber Analytics enables the rapid analysis of raw network-traffic by security analysts. The longer answer is, of course, much more complex than this, while cyber security shops that use both have a powerful combination on their hands. This paper will take the reader through: A brief history of how cyber security has grown up in most enterprise shops which will help to contextualize the differences A discussion of SIEM limitations How Novetta Cyber Analytics fills a critical missing gap in the toolset of most cyber security shops today How a SIEM plus Novetta Cyber Analytics creates an improved security posture, while concurrently lessening the need for hardto-find analysts 1

3 A BRIEF HISTORY OF ENTERPRISE CYBER SECURITY In 1988 the Morris Worm, widely regarded as the first computer worm (a self-propagating virus) succeeded in debilitating much of the Internet. Throughout the 1990 s new viruses, such as ILOVEYOU, were created and spread to millions of computers, seemingly without any true objective or motivation. Since then, the attacks have become far more targeted - and far more sophisticated - with many intrusions lasting months or more with clear objectives in mind, such as stealing intellectual property, credit cards, money, and health records. Beginning with signature-based antivirus solutions, over time more and more sophisticated defense mechanisms have been designed to counter more and more sophisticated types of attacks. Firewalls, Network Access Control solutions, Intrusion Detection/Prevention Systems, Data Loss Prevention systems, NextGen Firewalls, etc. have all been developed and deployed to prevent and detect unauthorized access and/or detect and mitigate malware. All of these solutions create separate events and logs and throw off alerts of perceived threats to security analysts for further analysis. But with up to a dozen systems and perhaps hundreds of security boxes sending alerts, analysts were overwhelmed. So in 1996 the first SIEM tool was introduced to attempt to automate the process of parsing through all of this data to determine which alerts and logs truly represent a threat. To do this, they correlate multiple events and alerts from disparate systems, then use rules and triggers to highlight suspicious activity. This is still the basic capability of SIEMs today, although many have increased their capacity for log, event and alert correlation to non-security applications as well as clients, and also offer other capabilities such as dashboarding, compliance reporting, and incident workflow tracking. SIEM LIMITATIONS SIEMs can be quite useful when attempting to manage the alerts and logs from many disparate systems, as there are many common attack patterns that can be detected by the aggregation and correlation of alerts and logs. SIEMs free analysts from doing a lot of mundane work, but they cannot be relied upon as an end-all be-all security solution because more advanced attacks, the ones that cause the most damage, take advantage of the below limitations. Tuning a Siem Perfectly is Nye Impossible After first deployment, it usually takes months for a SIEM to become truly useful within an enterprise environment. This is because you have to train it to understand your environment: for example, what IP addresses are what types of hosts and therefore what types of activities are acceptable or not acceptable from said host. Once you ve spent the time do this accurately and completely you then have a choice, How loose or tight do I set my alerting threshold? Too tight, and you might miss something important. 2

4 Too loose, and your analysts will be overwhelmed. There is no right answer here as this is more of an art than a science. Logs and Alerts are Expensive to Manage Every system writes its logs in a unique way. Combining hundreds of logs into a single, searchable format demands time, money, and a commitment to data integration. Did we exclude any important logs? Did we map the data fields correctly? How do we ignore duplicate events from multiple logs? Was there no traffic on Sunday? Or was the mail server down? Should we monitor uptime logs, too? These are the routine questions a network security team answers on a regular basis for their SIEM. Time spent on data integration is time borrowed from detecting more advanced attacks. Logs Give an Incomplete View of Reality Applications write just enough information in their logs to support diagnostics. They discard the rest to conserve disk space and to keep the logs legible to humans. Likewise, they tend to write interpretations of events rather than the contents of the events themselves. Altogether this produces a source of information that is incomplete and sometimes vague or irrelevant to an incident response investigation, which usually forces analysts to wrangle data from multiple systems attempting to find out what is truly happening - a tedious, time consuming process. Logs and Alerts are Prone to Sabotage Logs and alerts are generated by applications, which are vulnerable to exploitation. Consequently, logs and alerts are vulnerable to exploitation. So, the first thing a smart attacker does upon a successful breach is to modify the logs to hide the evidence of the breach and any future malicious activity. This makes logs a dubious source of information when the issue at hand is a truly advanced threat. HOW NOVETTA CYBER ANALYTICS FILLS A CRITICAL GAP Due to the above SIEM limitations, analysts frequently encounter situations where queries are needed that a SIEM simply cannot run and/or a review of raw network packet capture (PCAP) is required to determine if, for example, an alert is accurate and if so, its true scope and severity. Network-traffic cannot be corrupted it is the ground truth and includes all information exchanged between hosts. Comprehensive Network View With strategically placed sensors providing a comprehensive network view, and with its core being a single columnar table of observed network traffic, Novetta Cyber Analytics answers complex, relevant queries extremely rapidly and completely, allowing an analyst to, for example, quickly find all sessions and hosts related to a particular threat or alert, immediately drill into the directly related PCAP, pivot 3

5 and search through more remotely related PCAP, and then repeat. The rapidity of this iterative process provides an analyst with the ability to quickly come to a comprehensive and confident answer as to the criticality and scope of a particular alert. A view of how Novetta Cyber Analytics fits into a typical security shop s workflows. *For explanations of these powerful queries, please see the doc: The Top 10 Built-in Investigative Analytics: Examples of how this solution is used and why it s so powerful. Rapid, Streamlined Alert Investigations The alert investigation process is very streamlined for any SIEM console that can access the Novetta Cyber Analytics APIs: Once the analyst receives a correlated SIEM alert, or perhaps even a signature based DPI alert from their Security Analytics solution coming through to their SIEM console, they simply right click on their menu to launch a Novetta Cyber Analytics query for associated information and traffic, and the query will be returned in seconds. The information and traffic provided to the analyst includes detailed information such as IP addresses, domain names and owners, blacklist membership, geography, and more. The analyst can then use the Novetta Cyber Analytics View Contents feature to instantly preview the first 10KB of the associated payload data in the packet capture. Should the analyst find malware or other interesting data they can instantly retrieve the full packet capture as seen on the wire. This enables them to perform traffic replay, session reconstruction, malware extraction, and other forensic activities or pivot to other searches. 4

6 By combining the data associated with any alert with a comprehensive, rapidly searchable view of network traffic, analysts now have access to all the information they need to rapidly triage correlated, behavioral, and signature based alerts. Fast and Complete Incident Response and Forensics Once an analyst has determined the full extent of a threat using Novetta Cyber Analytics, they can quickly export key packet capture to a traffic analysis (such as Wireshark) or forensics tool for deeper analysis and traffic replay. In this fashion, the deep dive forensics tool is leveraged for its key capability after a subset of network traffic has been identified. This enhanced workflow serves to dramatically accelerate the operational tempo of analysts. They can now quickly start at a SIEM s console alert, attain situational awareness, identify threats, get visibility of raw packet capture, and perform deep dive analysis all dramatically faster than without Novetta Cyber Analytics. IMPROVED POSTURE PLUS A LESSENED NEED FOR ANALYSTS Novetta Cyber Analytics allows security shops to rapidly triage their SIEM s alerts while concurrently tightening their SIEM alerting thresholds and lessening reliance on ever more complex automated correlations, which, of course, require more and more time consuming data integration efforts. By enabling SIEMs to move closer to their original purpose the simple aggregation and correlation of alerts from multiple perimeter defense tools the combination frees security teams, even Tier 1 analysts, to spend far more time understanding their network and proactively hunting intruders versus reacting to mostly false positive alerts and/or spending the copious time needed to wrangle data from multiple systems. Cyber security shops that have deployed this combination have found that their overall cybersecurity posture has immeasurably improved, while concurrently lessening their need for hard-to-find cyber security workers. CONCLUSION Organizations that make use of both a SIEM and Novetta Cyber Analytics create a powerful combination that empowers analysts and their entire teams to achieve far greater visibility and awareness and substantially accelerate their operational tempo as they explore their networks, investigate specific alerts and incidents, and perform forensic activities. A SIEM plus Novetta Cyber Analytics makes security teams far more efficient and effective, and because of this, the combination makes a security team s management chain far more confident in their overall cybersecurity efforts. 5