WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

Similar documents
Novetta Cyber Analytics

CYBER ANALYTICS. An Advanced Network- Traffic Analytics Solution

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

ANALYTICS NOVETTA CYBER. NOVETTA Cyber Analytics Product Brochure. Optimal for Analysis. Not Enough. Too Much

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

RSA NetWitness Suite Respond in Minutes, Not Months

DATA SHEET RSA NETWITNESS PLATFORM PERVASIVE VISIBILITY. ACTIONABLE INSIGHTS.

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

CONTENTS. Technology Overview. Workflow Integration. Sample Customers. How It Works

RSA INCIDENT RESPONSE SERVICES

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

Transforming Security from Defense in Depth to Comprehensive Security Assurance

PALANTIR CYBERMESH INTRODUCTION

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Reducing the Cost of Incident Response

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

The Future of Threat Prevention

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

SIEM Solutions from McAfee

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Privileged Account Security: A Balanced Approach to Securing Unix Environments

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

RSA INCIDENT RESPONSE SERVICES

Compare Security Analytics Solutions

Security Automation Best Practices

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

INTEGRATION BRIEF DFLabs and Jira: Streamline Incident Management and Issue Tracking.

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Defend Against the Unknown

Sustainable Security Operations

Top 10 most important IT priorities over the next 12 months. (Percent of respondents, N=633, ten responses accepted)

Managed Endpoint Defense

Reducing Operational Costs and Combating Ransomware with McAfee SIEM and Integrated Security

THE EVOLUTION OF SIEM

Scrutinizer Flow Analytics

GDPR: An Opportunity to Transform Your Security Operations

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

TRUE SECURITY-AS-A-SERVICE

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

CyberArk Privileged Threat Analytics

NEXT GENERATION SECURITY OPERATIONS CENTER

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Feature Focus: Context Analysis Engine. Powering CylanceOPTICS Dynamic Threat Detection and Automated Response

Integrated, Intelligence driven Cyber Threat Hunting

TRIPWIRE VIA PLATFORM PROTECTING YOUR DATA WITH INTEGRATED SECURITY CONTROLS

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

Ken Hines, Ph.D GraniteEdge Networks

Securing Your Amazon Web Services Virtual Networks

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Traditional Security Solutions Have Reached Their Limit

Help Your Security Team Sleep at Night

Securing Your Microsoft Azure Virtual Networks

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

The Resilient Incident Response Platform

Speed Up Incident Response with Actionable Forensic Analytics

Popular SIEM vs aisiem

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

SentinelOne Technical Brief

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

MITIGATE CYBER ATTACK RISK

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

securing your network perimeter with SIEM

Enhanced Threat Detection, Investigation, and Response

ICS Security Monitoring

Office 365 Buyers Guide: Best Practices for Securing Office 365

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

MCAFEE INTEGRATED THREAT DEFENSE SOLUTION

Security. Made Smarter.

SentinelOne Technical Brief

Automated, Real-Time Risk Analysis & Remediation

Security Operations & Analytics Services

4/13/2018. Certified Analyst Program Infosheet

locuz.com SOC Services

The New Normal. Unique Challenges When Monitoring Hybrid Cloud Environments

SIEM: Five Requirements that Solve the Bigger Business Issues

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

Incident Response Agility: Leverage the Past and Present into the Future

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

CYBER RESILIENCE & INCIDENT RESPONSE

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Imperva Incapsula Website Security

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Transcription:

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION A Novetta Cyber Analytics Brief

Why SIEMs with advanced network-traffic analytics is a powerful combination. INTRODUCTION Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility and awareness, filling a critical gap in today s enterprise cyber security toolset. With queries that take only seconds even at Petabyte scale the solution enables analysts to receive comprehensive answers to complex questions at the speed of thought, then instantly access the ground truth network traffic needed for alert triage, incident response and hunting. The solution dramatically increases the efficiency and effectiveness of IT security staff and threat responders by providing them with the right information when they need it. Security Information and Event Management solutions - SIEMs - have become quite commonplace within cyber security operations today, and because of this, there is a lot of confusion as to exactly what a SIEM is versus Novetta Cyber Analytics. The short answer is that SIEMs aggregate, correlate and analyze events, logs and alerts produced by machines, while Novetta Cyber Analytics enables the rapid analysis of raw network-traffic by security analysts. The longer answer is, of course, much more complex than this, while cyber security shops that use both have a powerful combination on their hands. This paper will take the reader through: A brief history of how cyber security has grown up in most enterprise shops which will help to contextualize the differences A discussion of SIEM limitations How Novetta Cyber Analytics fills a critical missing gap in the toolset of most cyber security shops today How a SIEM plus Novetta Cyber Analytics creates an improved security posture, while concurrently lessening the need for hardto-find analysts 1

A BRIEF HISTORY OF ENTERPRISE CYBER SECURITY In 1988 the Morris Worm, widely regarded as the first computer worm (a self-propagating virus) succeeded in debilitating much of the Internet. Throughout the 1990 s new viruses, such as ILOVEYOU, were created and spread to millions of computers, seemingly without any true objective or motivation. Since then, the attacks have become far more targeted - and far more sophisticated - with many intrusions lasting months or more with clear objectives in mind, such as stealing intellectual property, credit cards, money, and health records. Beginning with signature-based antivirus solutions, over time more and more sophisticated defense mechanisms have been designed to counter more and more sophisticated types of attacks. Firewalls, Network Access Control solutions, Intrusion Detection/Prevention Systems, Data Loss Prevention systems, NextGen Firewalls, etc. have all been developed and deployed to prevent and detect unauthorized access and/or detect and mitigate malware. All of these solutions create separate events and logs and throw off alerts of perceived threats to security analysts for further analysis. But with up to a dozen systems and perhaps hundreds of security boxes sending alerts, analysts were overwhelmed. So in 1996 the first SIEM tool was introduced to attempt to automate the process of parsing through all of this data to determine which alerts and logs truly represent a threat. To do this, they correlate multiple events and alerts from disparate systems, then use rules and triggers to highlight suspicious activity. This is still the basic capability of SIEMs today, although many have increased their capacity for log, event and alert correlation to non-security applications as well as clients, and also offer other capabilities such as dashboarding, compliance reporting, and incident workflow tracking. SIEM LIMITATIONS SIEMs can be quite useful when attempting to manage the alerts and logs from many disparate systems, as there are many common attack patterns that can be detected by the aggregation and correlation of alerts and logs. SIEMs free analysts from doing a lot of mundane work, but they cannot be relied upon as an end-all be-all security solution because more advanced attacks, the ones that cause the most damage, take advantage of the below limitations. Tuning a Siem Perfectly is Nye Impossible After first deployment, it usually takes months for a SIEM to become truly useful within an enterprise environment. This is because you have to train it to understand your environment: for example, what IP addresses are what types of hosts and therefore what types of activities are acceptable or not acceptable from said host. Once you ve spent the time do this accurately and completely you then have a choice, How loose or tight do I set my alerting threshold? Too tight, and you might miss something important. 2

Too loose, and your analysts will be overwhelmed. There is no right answer here as this is more of an art than a science. Logs and Alerts are Expensive to Manage Every system writes its logs in a unique way. Combining hundreds of logs into a single, searchable format demands time, money, and a commitment to data integration. Did we exclude any important logs? Did we map the data fields correctly? How do we ignore duplicate events from multiple logs? Was there no email traffic on Sunday? Or was the mail server down? Should we monitor uptime logs, too? These are the routine questions a network security team answers on a regular basis for their SIEM. Time spent on data integration is time borrowed from detecting more advanced attacks. Logs Give an Incomplete View of Reality Applications write just enough information in their logs to support diagnostics. They discard the rest to conserve disk space and to keep the logs legible to humans. Likewise, they tend to write interpretations of events rather than the contents of the events themselves. Altogether this produces a source of information that is incomplete and sometimes vague or irrelevant to an incident response investigation, which usually forces analysts to wrangle data from multiple systems attempting to find out what is truly happening - a tedious, time consuming process. Logs and Alerts are Prone to Sabotage Logs and alerts are generated by applications, which are vulnerable to exploitation. Consequently, logs and alerts are vulnerable to exploitation. So, the first thing a smart attacker does upon a successful breach is to modify the logs to hide the evidence of the breach and any future malicious activity. This makes logs a dubious source of information when the issue at hand is a truly advanced threat. HOW NOVETTA CYBER ANALYTICS FILLS A CRITICAL GAP Due to the above SIEM limitations, analysts frequently encounter situations where queries are needed that a SIEM simply cannot run and/or a review of raw network packet capture (PCAP) is required to determine if, for example, an alert is accurate and if so, its true scope and severity. Network-traffic cannot be corrupted it is the ground truth and includes all information exchanged between hosts. Comprehensive Network View With strategically placed sensors providing a comprehensive network view, and with its core being a single columnar table of observed network traffic, Novetta Cyber Analytics answers complex, relevant queries extremely rapidly and completely, allowing an analyst to, for example, quickly find all sessions and hosts related to a particular threat or alert, immediately drill into the directly related PCAP, pivot 3

and search through more remotely related PCAP, and then repeat. The rapidity of this iterative process provides an analyst with the ability to quickly come to a comprehensive and confident answer as to the criticality and scope of a particular alert. A view of how Novetta Cyber Analytics fits into a typical security shop s workflows. *For explanations of these powerful queries, please see the doc: The Top 10 Built-in Investigative Analytics: Examples of how this solution is used and why it s so powerful. Rapid, Streamlined Alert Investigations The alert investigation process is very streamlined for any SIEM console that can access the Novetta Cyber Analytics APIs: Once the analyst receives a correlated SIEM alert, or perhaps even a signature based DPI alert from their Security Analytics solution coming through to their SIEM console, they simply right click on their menu to launch a Novetta Cyber Analytics query for associated information and traffic, and the query will be returned in seconds. The information and traffic provided to the analyst includes detailed information such as IP addresses, domain names and owners, blacklist membership, geography, and more. The analyst can then use the Novetta Cyber Analytics View Contents feature to instantly preview the first 10KB of the associated payload data in the packet capture. Should the analyst find malware or other interesting data they can instantly retrieve the full packet capture as seen on the wire. This enables them to perform traffic replay, session reconstruction, malware extraction, and other forensic activities or pivot to other searches. 4

By combining the data associated with any alert with a comprehensive, rapidly searchable view of network traffic, analysts now have access to all the information they need to rapidly triage correlated, behavioral, and signature based alerts. Fast and Complete Incident Response and Forensics Once an analyst has determined the full extent of a threat using Novetta Cyber Analytics, they can quickly export key packet capture to a traffic analysis (such as Wireshark) or forensics tool for deeper analysis and traffic replay. In this fashion, the deep dive forensics tool is leveraged for its key capability after a subset of network traffic has been identified. This enhanced workflow serves to dramatically accelerate the operational tempo of analysts. They can now quickly start at a SIEM s console alert, attain situational awareness, identify threats, get visibility of raw packet capture, and perform deep dive analysis all dramatically faster than without Novetta Cyber Analytics. IMPROVED POSTURE PLUS A LESSENED NEED FOR ANALYSTS Novetta Cyber Analytics allows security shops to rapidly triage their SIEM s alerts while concurrently tightening their SIEM alerting thresholds and lessening reliance on ever more complex automated correlations, which, of course, require more and more time consuming data integration efforts. By enabling SIEMs to move closer to their original purpose the simple aggregation and correlation of alerts from multiple perimeter defense tools the combination frees security teams, even Tier 1 analysts, to spend far more time understanding their network and proactively hunting intruders versus reacting to mostly false positive alerts and/or spending the copious time needed to wrangle data from multiple systems. Cyber security shops that have deployed this combination have found that their overall cybersecurity posture has immeasurably improved, while concurrently lessening their need for hard-to-find cyber security workers. CONCLUSION Organizations that make use of both a SIEM and Novetta Cyber Analytics create a powerful combination that empowers analysts and their entire teams to achieve far greater visibility and awareness and substantially accelerate their operational tempo as they explore their networks, investigate specific alerts and incidents, and perform forensic activities. A SIEM plus Novetta Cyber Analytics makes security teams far more efficient and effective, and because of this, the combination makes a security team s management chain far more confident in their overall cybersecurity efforts. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback