Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from Network Traffic with Real-Time Analysis

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING
Where There Is Smoke, There is Fire
Extracting Actionable Intelligence
From Network Traffic with Real-time Analysis
David Monahan
Research Director
Security & Risk Management
Enterprise Management Associates (EMA)
@SecurityMonahan

INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.2
Today’s Speaker
David Monahan
Research Director, Risk & Security Management,
EMA
David has over 20 years of IT security experience
and has organized and managed both physical and
information security programs, including Security
and Network Operations (SOCs and NOCs) for
organizations ranging from Fortune 100 companies
to local government and small public and private
companies.

INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.
Visibility Challenges
• Security personnel are overwhelmed
• Security personnel are inexperienced
• Attacks are varied and multifaceted
• Attacks are stealthy
• Attacks exploit user identity
• New zero-day attacks appearing regularly
• Getting the right data in a timely manner!
3

Top 3 Security Challenges…
4 © 2017 Enterprise Management Associates, Inc.
58%
38%
37%
34%
31%
4%
LACK OF ANALYSIS CAPABILITIES IN THE
SOLUTIONS
LACK OF DASHBOARDS
LACK OF REPORTING CAPABILITIES
LACK OF VENDOR SUPPLIED INTEGRATION
LACK OF OPEN APIS
OTHER
Need to combine network capabilities or data
with endpoint security capabilities or data

More Context
• 92% of organizations receive as many as 500 overall alerts per
day
• 88% or organizations receive as many as 500 severe/critical
alerts/day
MEANING: Most incidents are being classified as severe/critical
CAUSE: A lack of context [data] to properly prioritize the events
Result: Attacks cannot be properly prioritized
• 67% of organizations can only investigate <=10 severe/critical
events/day
• 88% of organizations can only investigate <=25 severe/critical
events/day.
MEANING: Most incidents are not being investigated
CAUSE: A lack of context [data] to properly prioritize the events.
Result: Attacks are going unidentified/uninvestgated
5

Inexperience and a Lack of Skills
72%
15%
7%
5%
I DON'T KNOW
ENDPOINT LOGS
PACKET CAPTURE
PERFORMANCE LOGS
What type of data is best for early breach
detection
Affected by
Staffing
Shortage,
76%
Affected by
Staffing
Shortage,
68%
Not Affected by
Staffing
Shortage, 24%
Not Affected
by Staffing
Shortage, 32%
20162015
Security Teams affected by staffing

Security Team Bravado – Detecting breaches
25%
47%
24%
4%
1%
VERY STRONG
STRONG
COMPETENT
UNDERDEVELOPED
NETWORK SECURITY DETECTION IS NOT A
SIGNIFICANT FOCUS OF OUR SECURITY
PROGRAM

Security Team Bravado – Incident response
25%
41%
25%
8%
2%
VERY STRONG
STRONG
COMPETENT
UNDERDEVELOPED
NETWORK SECURITY INCIDENT RESPONSE IS
NOT A SIGNIFICANT FOCUS OF OUR SECURITY
PROGRAM

Security Team Bravado –
Maintaining Environmental Baseline
58%
35%
7%
YES
NO, BUT I BELIEVE IT IS IMPORTANT
NO, AND I DON'T FEEL THAT IT IS NECESSARY

Data Used for Investigation
54%
50%
46%
38%
FULL PACKET DATA
LOG DATA
FLOW DATA
PACKET HEADERS ONLY

Packet Data Use In Investigations
14%
38%
30%
3%
16%
YES, FOR ALL INVESTIGATIONS
YES, BUT ONLY FOR CRITICAL INVESTIGATIONS
NO, BUT WE WOULD LIKE TO/PLAN TO
NO, AND WE HAVE NO PARTICULAR
NEED/INTEREST
I DON'T KNOW

Security Teams Need Automation to be Effective
51%
35%
13%
0%
1%
VERY IMPORTANT
IMPORTANT
SOMEWHAT IMPORTANT
SOMEWHAT UNIMPORTANT
NOT IMPORTANT AT ALL
Automation for Detection
49%
35%
15%
1%
1%
VERY IMPORTANT
IMPORTANT
SOMEWHAT IMPORTANT
Automation for Incident Response

Centralized Operations Interface is Key
38%
43%
15%
3%
2%
VERY IMPORTANT
IMPORTANT
SOMEWHAT IMPORTANT

Metadata is Key to Success
15%
69%
15%
INVALUABLE
VERY VALUABLE
MODERATELY INVALUABLE

Why Packets

It’s How the Attacks Arrive
• >99% of cyber attacks traverse the network in
some way
• Email/Web
• Reconnaissance
• Command and control
• Data collection…
• Only insider attacks collecting local system
data and posting it to removable media do not
16

Accelerating Detection and Response
• Address Increased Advanced and Stealthy Threats
– Threats hiding in normal application traffic, web, email, file transfers
– Constantly morphing to avoid signatures, low and slow exfiltration
methods
– Abuse of DNS and HTTP traffic to co-ordinate and avoid detection
• Reduce Attacker Dwell Time: Still too Long
– Need More Telemetry faster
– Increase Analyst Context
– Lateral Movement not Detected Soon Enough
– Endpoints don’t have all the info
– Better Data to “Connect the Dots” From Events
– Quickly relate data correlations
– Accelerate Investigations with Comprehensive Forensics Data
– Connect the Who, When, and How of a Breach
– Look deep inside files and content to distinguish between normal and
suspect activity
17

QNI- Proactive Breach Detection versus
Reactive Forensics
• QNI Value:
– On-the-fly data stream analysis
– Real –time correlation with other logged data
– Vast metadata creation for case data enrichment
– Better breach prevention
– Earlier detection especially against low and slow or complex
attacks
– Reduced false positives (Alert/no-Alert)
– Better alert classification (Critical, High, Med, Low, Info)
– Accelerated incident response
– Reduced loss/damage of breach
18

Where to Use QNI
• Leverage at any SOC Function!
• Tier 1 (Incident receipt and processing)
– Reduce incident volume = Reduced alert fatigue
– Faster access to critical data = Faster Response
– Better incident prioritization = Better incident handling
– Force multiplier = Reduced hand offs to Tier 2 and Tier 3
• Tier 2 and Tier 3 (SecOps
Troubleshooting/Investigations)
– Better context = Faster resolution
• Tier 4 (Hunters)
– Better visibility = Reduced attacker dwell time
– Better analysis = Faster detection of related incidents
– Reduced dwell time = Reduced incident impact/cost
19

Not All SIEM Packet Analysis Created Equal
• Some only through 3rd-party partnerships
• Processing overhead causes delays for data access
– Several minutes to hours based on volume and collection
method
• Most integrated packet capture is only started on
demand
• Accessing data often not intuitive
• Little/No advanced data analysis up front
– Most return data is limited by queries or correlation rules
– Analysis of data returns left to operator
20

QNI Benefits
• Enriching data with:
– DNS and other host detail
– URLs, redirects
– File data, file hashes, file entropy (image and audio files
especially)
– Application Awareness: Detected PII and confidential data
– Usernames and Email addresses
– Embedded scripts detection
• Customizable suspect content feeds
21

Get Free Research from EMA analysts
• http://www.enterprisemanagement.com/freeResearch
22

Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from Network Traffic with Real-Time Analysis

More Related Content

What's hot

Viewers also liked

Similar to Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from Network Traffic with Real-Time Analysis

More from Enterprise Management Associates

Recently uploaded

Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from Network Traffic with Real-Time Analysis