NovettaCyberAnalytics_WhySIEMsWith_PB-W_06292015.pdf
-
Upload
scott-van-valkenburgh -
Category
Documents
-
view
8 -
download
1
Transcript of NovettaCyberAnalytics_WhySIEMsWith_PB-W_06292015.pdf
WHY SIEMS WITH ADVANCED NETWORK-
TRAFFIC ANALYTICS IS A POWERFUL
COMBINATIONA Novetta Cyber Analytics Brief
INTRODUCTION
Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with
comprehensive, near real time cyber security visibility and awareness, filling a critical gap in today’s
enterprise cyber security toolset. With queries that take only seconds even at Petabyte scale the solution
enables analysts to receive comprehensive answers to complex questions “at the speed of thought,”
then instantly access the ground truth network traffic needed for alert triage, incident response and
hunting. The solution dramatically increases the efficiency and effectiveness of IT security staff and threat
responders by providing them with the right information when they need it.
Security Information and Event Management solutions - SIEMs - have become quite commonplace within
cyber security operations today, and because of this, there is a lot of confusion as to exactly what a SIEM
is versus Novetta Cyber Analytics. The short answer is that SIEMs aggregate, correlate and analyze events,
logs and alerts produced by machines, while Novetta Cyber Analytics enables the rapid analysis of raw
network-traffic by security analysts. The longer answer is, of course, much more complex than this, while
cyber security shops that use both have a powerful combination on their hands. This paper will take the
reader through:
• A brief history of how cyber security has ‘grown up’ in most
enterprise shops which will help to contextualize the differences
• A discussion of SIEM limitations
• How Novetta Cyber Analytics fills a critical missing gap in the
toolset of most cyber security shops today
• How a SIEM plus Novetta Cyber Analytics creates an improved
security posture, while concurrently lessening the need for hard-
to-find analysts
1SIEM • 7921 Jones Branch Drive • McLean VA 22102 • [email protected]
Why SIEMs with advanced network-traffic analytics is a powerful combination.
A BRIEF HISTORY OF ENTERPRISE CYBER SECURITY
In 1988 the Morris Worm, widely regarded as the first computer worm (a self-propagating virus)
succeeded in debilitating much of the Internet. Throughout the 1990’s new viruses, such as ILOVEYOU,
were created and spread to millions of computers, seemingly without any true objective or motivation.
Since then, the attacks have become far more targeted - and far more sophisticated - with many
intrusions lasting months or more with clear objectives in mind, such as stealing intellectual property,
credit cards, money, and health records.
Beginning with signature-based antivirus solutions, over time more and more sophisticated defense
mechanisms have been designed to counter more and more sophisticated types of attacks. Firewalls,
Network Access Control solutions, Intrusion Detection/Prevention Systems, Data Loss Prevention systems,
NextGen Firewalls, etc. have all been developed and deployed to prevent and detect unauthorized access
and/or detect and mitigate malware. All of these solutions create separate events and logs and throw off
alerts of perceived threats to security analysts for further analysis. But with up to a dozen systems and
perhaps hundreds of security boxes sending alerts, analysts were overwhelmed. So in 1996 the first SIEM
tool was introduced to attempt to automate the process of parsing through all of this data to determine
which alerts and logs truly represent a threat. To do this, they correlate multiple events and alerts from
disparate systems, then use rules and triggers to highlight suspicious activity. This is still the basic
capability of SIEMs today, although many have increased their capacity for log, event and alert correlation
to non-security applications as well as clients, and also offer other capabilities such as dashboarding,
compliance reporting, and incident workflow tracking.
SIEM LIMITATIONS
SIEMs can be quite useful when attempting to manage the alerts and logs from many disparate systems,
as there are many common attack patterns that can be detected by the aggregation and correlation of
alerts and logs. SIEMs free analysts from doing a lot of mundane work, but they cannot be relied upon as
an end-all be-all security solution because more advanced attacks, the ones that cause the most damage,
take advantage of the below limitations.
‘Tuning’ a Siem Perfectly is Nye ImpossibleAfter first deployment, it usually takes months for a SIEM to become truly useful within an enterprise
environment. This is because you have to ‘train’ it to understand your environment: for example, what IP
addresses are what types of hosts and therefore what types of activities are acceptable or not acceptable
from said host. Once you’ve spent the time do this accurately and completely you then have a choice,
“How loose or tight do I set my alerting threshold?” Too tight, and you might miss something important.
2SIEM • 7921 Jones Branch Drive • McLean VA 22102 • [email protected]
Too loose, and your analysts will be overwhelmed. There is no right answer here as this is more of an art
than a science.
Logs and Alerts are Expensive to ManageEvery system writes its logs in a unique way. Combining hundreds of logs into a single, searchable format
demands time, money, and a commitment to data integration. “Did we exclude any important logs?” “Did
we map the data fields correctly?” “How do we ignore duplicate events from multiple logs?” “Was there
no email traffic on Sunday? Or was the mail server down? Should we monitor uptime logs, too?” These are
the routine questions a network security team answers on a regular basis for their SIEM. Time spent on
data integration is time borrowed from detecting more advanced attacks.
Logs Give an Incomplete View of RealityApplications write just enough information in their logs to support diagnostics. They discard the rest to
conserve disk space and to keep the logs legible to humans. Likewise, they tend to write interpretations
of events rather than the contents of the events themselves. Altogether this produces a source of
information that is incomplete and sometimes vague or irrelevant to an incident response investigation,
which usually forces analysts to wrangle data from multiple systems attempting to find out what is truly
happening - a tedious, time consuming process.
Logs and Alerts are Prone to SabotageLogs and alerts are generated by applications, which are vulnerable to exploitation. Consequently, logs
and alerts are vulnerable to exploitation. So, the first thing a smart attacker does upon a successful
breach is to modify the logs to hide the evidence of the breach and any future malicious activity. This
makes logs a dubious source of information when the issue at hand is a truly advanced threat.
HOW NOVETTA CYBER ANALYTICS FILLS A CRITICAL GAP
Due to the above SIEM limitations, analysts frequently encounter situations where queries are needed
that a SIEM simply cannot run and/or a review of raw network packet capture (PCAP) is required to
determine if, for example, an alert is accurate and if so, its true scope and severity. Network-traffic cannot
be corrupted — it is the ground truth and includes all information exchanged between hosts.
Comprehensive Network ViewWith strategically placed sensors providing a comprehensive network view, and with its core being a
single columnar ‘table’ of observed network traffic, Novetta Cyber Analytics answers complex, relevant
queries extremely rapidly and completely, allowing an analyst to, for example, quickly find all sessions
and hosts related to a particular threat or alert, immediately drill into the directly related PCAP, pivot
3SIEM • 7921 Jones Branch Drive • McLean VA 22102 • [email protected]
and search through more remotely related PCAP, and then repeat. The rapidity of this iterative process
provides an analyst with the ability to quickly come to a comprehensive and confident answer as to the
criticality and scope of a particular alert.
Rapid, Streamlined Alert InvestigationsThe alert investigation process is very streamlined for any SIEM console that can access the Novetta Cyber
Analytics APIs: Once the analyst receives a correlated SIEM alert, or perhaps even a signature‐based DPI
alert from their Security Analytics solution coming through to their SIEM console, they simply right‐click
on their menu to launch a Novetta Cyber Analytics query for associated information and traffic, and the
query will be returned in seconds. The information and traffic provided to the analyst includes detailed
information such as IP addresses, domain names and owners, blacklist membership, geography, and more.
The analyst can then use the Novetta Cyber Analytics “View Contents” feature to instantly preview the
first 10KB of the associated payload data in the packet capture. Should the analyst find malware or other
interesting data they can instantly retrieve the full packet capture as seen on the wire. This enables them
to perform traffic replay, session reconstruction, malware extraction, and other forensic activities — or
pivot to other searches.
4SIEM • 7921 Jones Branch Drive • McLean VA 22102 • [email protected]
A view of how Novetta Cyber Analytics fits into a typical security shop’s workflows.*For explanations of these powerful queries, please see the doc: The Top 10 Built-in Investigative Analytics: Examples of how this solution is used and why it’s so powerful.
5SIEM • 7921 Jones Branch Drive • McLean VA 22102 • [email protected]
By combining the data associated with any alert with a comprehensive, rapidly searchable view of
network traffic, analysts now have access to all the information they need to rapidly triage correlated,
behavioral, and signature based alerts.
Fast and Complete Incident Response and ForensicsOnce an analyst has determined the full extent of a threat using Novetta Cyber Analytics, they can quickly
export key packet capture to a traffic analysis (such as Wireshark) or forensics tool for deeper analysis
and traffic replay. In this fashion, the deep dive forensics tool is leveraged for its key capability after a
subset of network traffic has been identified. This enhanced workflow serves to dramatically accelerate
the operational tempo of analysts. They can now quickly start at a SIEM’s console alert, attain situational
awareness, identify threats, get visibility of raw packet capture, and perform deep dive analysis — all
dramatically faster than without Novetta Cyber Analytics.
IMPROVED POSTURE PLUS A LESSENED NEED FOR ANALYSTS
Novetta Cyber Analytics allows security shops to rapidly triage their SIEM’s alerts while concurrently
tightening their SIEM alerting thresholds and lessening reliance on ever more complex automated
correlations, which, of course, require more and more time consuming data integration efforts. By
enabling SIEMs to move closer to their original purpose — the simple aggregation and correlation
of alerts from multiple perimeter defense tools — the combination frees security teams, even Tier 1
analysts, to spend far more time understanding their network and proactively hunting intruders versus
reacting to mostly false positive alerts and/or spending the copious time needed to wrangle data from
multiple systems. Cyber security shops that have deployed this combination have found that their
overall cybersecurity posture has immeasurably improved, while concurrently lessening their need for
hard-to-find cyber security workers.
CONCLUSION
Organizations that make use of both a SIEM and Novetta Cyber Analytics create a powerful combination
that empowers analysts and their entire teams to achieve far greater visibility and awareness and
substantially accelerate their operational tempo as they explore their networks, investigate specific
alerts and incidents, and perform forensic activities. A SIEM plus Novetta Cyber Analytics makes security
teams far more efficient and effective, and because of this, the combination makes a security team’s
management chain far more confident in their overall cybersecurity efforts.