Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from Network Traffic with Real-Time Analysis

IT & DATA MANAGEMENT RESEARCH,

INDUSTRY ANALYSIS & CONSULTING

Where There Is Smoke, There is FireExtracting Actionable Intelligence

From Network Traffic with Real-time Analysis

David MonahanResearch Director

Security & Risk Management

Enterprise Management Associates (EMA)

@SecurityMonahan


INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.2

Today’s Speaker

David Monahan

Research Director, Risk & Security Management,

EMA

David has over 20 years of IT security experience

and has organized and managed both physical and

information security programs, including Security

and Network Operations (SOCs and NOCs) for

organizations ranging from Fortune 100 companies

to local government and small public and private

companies.


INDUSTRY ANALYSIS & CONSULTING© 2017 Enterprise Management Associates, Inc.

Visibility Challenges

• Security personnel are overwhelmed

• Security personnel are inexperienced

• Attacks are varied and multifaceted

• Attacks are stealthy

• Attacks exploit user identity

• New zero-day attacks appearing regularly

• Getting the right data in a timely manner!

3IT & DATA MANAGEMENT RESEARCH,




Top 3 Security Challenges…

4 © 2017 Enterprise Management Associates, Inc.

58%

38%

37%

34%

31%

4%

LACK OF ANALYSIS CAPABILITIES IN THE SOLUTIONS

LACK OF DASHBOARDS

LACK OF REPORTING CAPABILITIES

LACK OF VENDOR SUPPLIED INTEGRATION

LACK OF OPEN APIS

OTHER

Need to combine network capabilities or data with endpoint security capabilities or data



More Context

• 92% of organizations receive as many as 500 overall alerts per day

• 88% or organizations receive as many as 500 severe/critical alerts/day

MEANING: Most incidents are being classified as severe/critical

CAUSE: A lack of context [data] to properly prioritize the events

Result: Attacks cannot be properly prioritized

• 67% of organizations can only investigate <=10 severe/critical events/day

• 88% of organizations can only investigate <=25 severe/critical events/day.

MEANING: Most incidents are not being investigated

CAUSE: A lack of context [data] to properly prioritize the events.

Result: Attacks are going unidentified/uninvestgated

5



Inexperience and a Lack of Skills


72%

15%

7%

5%

I DON'T KNOW

ENDPOINT LOGS

PACKET CAPTURE

PERFORMANCE LOGS

What type of data is best for early breach detection

Affected by Staffing

Shortage, 76%

Affected by Staffing

Shortage, 68%

Not Affected by Staffing

Shortage, 24%

Not Affected by Staffing

Shortage, 32%

20162015

Security Teams affected by staffing



Security Team Bravado – Detecting breaches


25%

47%

24%

4%

1%

VERY STRONG

STRONG

COMPETENT

UNDERDEVELOPED

NETWORK SECURITY DETECTION IS NOT A SIGNIFICANT FOCUS OF OUR SECURITY

PROGRAM



Security Team Bravado – Incident response


25%

41%

25%

8%

2%

VERY STRONG

STRONG

COMPETENT

UNDERDEVELOPED

NETWORK SECURITY INCIDENT RESPONSE IS NOT A SIGNIFICANT FOCUS OF OUR SECURITY

PROGRAM



Security Team Bravado –

Maintaining Environmental Baseline


58%

35%

7%

YES

NO, BUT I BELIEVE IT IS IMPORTANT

NO, AND I DON'T FEEL THAT IT IS NECESSARY



Data Used for Investigation


54%

50%

46%

38%

FULL PACKET DATA

LOG DATA

FLOW DATA

PACKET HEADERS ONLY



Packet Data Use In Investigations


14%

38%

30%

3%

16%

YES, FOR ALL INVESTIGATIONS

YES, BUT ONLY FOR CRITICAL INVESTIGATIONS

NO, BUT WE WOULD LIKE TO/PLAN TO

NO, AND WE HAVE NO PARTICULAR NEED/INTEREST

I DON'T KNOW



Security Teams Need Automation to be Effective


51%

35%

13%

0%

1%

VERY IMPORTANT

IMPORTANT

SOMEWHAT IMPORTANT

SOMEWHAT UNIMPORTANT

NOT IMPORTANT AT ALL

Automation for Detection

49%

35%

15%

1%

1%

VERY IMPORTANT

IMPORTANT

SOMEWHAT IMPORTANT



Automation for Incident Response



Centralized Operations Interface is Key


38%

43%

15%

3%

2%

VERY IMPORTANT

IMPORTANT

SOMEWHAT IMPORTANT





Metadata is Key to Success


15%

69%

15%

INVALUABLE

VERY VALUABLE

MODERATELY INVALUABLE



Why Packets



It’s How the Attacks Arrive

• >99% of cyber attacks traverse the network in

some way

• Email/Web

• Reconnaissance

• Command and control

• Data collection…

• Only insider attacks collecting local system

data and posting it to removable media do not

16



Accelerating Detection and Response

• Address Increased Advanced and Stealthy Threats– Threats hiding in normal application traffic, web, email, file transfers

– Constantly morphing to avoid signatures, low and slow exfiltration

methods

– Abuse of DNS and HTTP traffic to co-ordinate and avoid detection

• Reduce Attacker Dwell Time: Still too Long– Need More Telemetry faster

– Increase Analyst Context

– Lateral Movement not Detected Soon Enough

– Endpoints don’t have all the info

– Better Data to “Connect the Dots” From Events

– Quickly relate data correlations

– Accelerate Investigations with Comprehensive Forensics Data

– Connect the Who, When, and How of a Breach

– Look deep inside files and content to distinguish between normal and

suspect activity

17



QNI- Proactive Breach Detection versus

Reactive Forensics

• QNI Value:

– On-the-fly data stream analysis

– Real –time correlation with other logged data

– Vast metadata creation for case data enrichment

– Better breach prevention

– Earlier detection especially against low and slow or complex

attacks

– Reduced false positives (Alert/no-Alert)

– Better alert classification (Critical, High, Med, Low, Info)

– Accelerated incident response

– Reduced loss/damage of breach

18



Where to Use QNI

• Leverage at any SOC Function!

• Tier 1 (Incident receipt and processing)– Reduce incident volume = Reduced alert fatigue

– Faster access to critical data = Faster Response

– Better incident prioritization = Better incident handling

– Force multiplier = Reduced hand offs to Tier 2 and Tier 3

• Tier 2 and Tier 3 (SecOpsTroubleshooting/Investigations)– Better context = Faster resolution

• Tier 4 (Hunters)– Better visibility = Reduced attacker dwell time

– Better analysis = Faster detection of related incidents

– Reduced dwell time = Reduced incident impact/cost

19



Not All SIEM Packet Analysis Created Equal

• Some only through 3rd-party partnerships

• Processing overhead causes delays for data access

– Several minutes to hours based on volume and collection

method

• Most integrated packet capture is only started on

demand

• Accessing data often not intuitive

• Little/No advanced data analysis up front

– Most return data is limited by queries or correlation rules

– Analysis of data returns left to operator

20



QNI Benefits

• Enriching data with:

– DNS and other host detail

– URLs, redirects

– File data, file hashes, file entropy (image and audio files

especially)

– Application Awareness: Detected PII and confidential data

– Usernames and Email addresses

– Embedded scripts detection

• Customizable suspect content feeds

21



Get Free Research from EMA analysts

• http://www.enterprisemanagement.com/freeResearch

22

http://www.enterprisemanagement.com/freeResearch

Technology

Where There Is Smoke, There is Fire: Extracting Actionable Intelligence from Network Traffic with Real-Time Analysis