WHY SIEMS WITH ADVANCED NETWORK-

TRAFFIC ANALYTICS IS A POWERFUL

COMBINATIONA Novetta Cyber Analytics Brief

INTRODUCTION

Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with

comprehensive, near real time cyber security visibility and awareness, filling a critical gap in today’s

enterprise cyber security toolset. With queries that take only seconds even at Petabyte scale the solution

enables analysts to receive comprehensive answers to complex questions “at the speed of thought,”

then instantly access the ground truth network traffic needed for alert triage, incident response and

hunting. The solution dramatically increases the efficiency and effectiveness of IT security staff and threat

responders by providing them with the right information when they need it.

Security Information and Event Management solutions - SIEMs - have become quite commonplace within

cyber security operations today, and because of this, there is a lot of confusion as to exactly what a SIEM

is versus Novetta Cyber Analytics. The short answer is that SIEMs aggregate, correlate and analyze events,

logs and alerts produced by machines, while Novetta Cyber Analytics enables the rapid analysis of raw

network-traffic by security analysts. The longer answer is, of course, much more complex than this, while

cyber security shops that use both have a powerful combination on their hands. This paper will take the

reader through:

• A brief history of how cyber security has ‘grown up’ in most

enterprise shops which will help to contextualize the differences

• A discussion of SIEM limitations

• How Novetta Cyber Analytics fills a critical missing gap in the

toolset of most cyber security shops today

• How a SIEM plus Novetta Cyber Analytics creates an improved

security posture, while concurrently lessening the need for hard-

to-find analysts

1SIEM • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com

Why SIEMs with advanced network-traffic analytics is a powerful combination.

A BRIEF HISTORY OF ENTERPRISE CYBER SECURITY

In 1988 the Morris Worm, widely regarded as the first computer worm (a self-propagating virus)

succeeded in debilitating much of the Internet. Throughout the 1990’s new viruses, such as ILOVEYOU,

were created and spread to millions of computers, seemingly without any true objective or motivation.

Since then, the attacks have become far more targeted - and far more sophisticated - with many

intrusions lasting months or more with clear objectives in mind, such as stealing intellectual property,

credit cards, money, and health records.

Beginning with signature-based antivirus solutions, over time more and more sophisticated defense

mechanisms have been designed to counter more and more sophisticated types of attacks. Firewalls,

Network Access Control solutions, Intrusion Detection/Prevention Systems, Data Loss Prevention systems,

NextGen Firewalls, etc. have all been developed and deployed to prevent and detect unauthorized access

and/or detect and mitigate malware. All of these solutions create separate events and logs and throw off

alerts of perceived threats to security analysts for further analysis. But with up to a dozen systems and

perhaps hundreds of security boxes sending alerts, analysts were overwhelmed. So in 1996 the first SIEM

tool was introduced to attempt to automate the process of parsing through all of this data to determine

which alerts and logs truly represent a threat. To do this, they correlate multiple events and alerts from

disparate systems, then use rules and triggers to highlight suspicious activity. This is still the basic

capability of SIEMs today, although many have increased their capacity for log, event and alert correlation

to non-security applications as well as clients, and also offer other capabilities such as dashboarding,

compliance reporting, and incident workflow tracking.

SIEM LIMITATIONS

SIEMs can be quite useful when attempting to manage the alerts and logs from many disparate systems,

as there are many common attack patterns that can be detected by the aggregation and correlation of

alerts and logs. SIEMs free analysts from doing a lot of mundane work, but they cannot be relied upon as

an end-all be-all security solution because more advanced attacks, the ones that cause the most damage,

take advantage of the below limitations.

‘Tuning’ a Siem Perfectly is Nye ImpossibleAfter first deployment, it usually takes months for a SIEM to become truly useful within an enterprise

environment. This is because you have to ‘train’ it to understand your environment: for example, what IP

addresses are what types of hosts and therefore what types of activities are acceptable or not acceptable

from said host. Once you’ve spent the time do this accurately and completely you then have a choice,

“How loose or tight do I set my alerting threshold?” Too tight, and you might miss something important.

2SIEM • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com

Too loose, and your analysts will be overwhelmed. There is no right answer here as this is more of an art

than a science.

Logs and Alerts are Expensive to ManageEvery system writes its logs in a unique way. Combining hundreds of logs into a single, searchable format

demands time, money, and a commitment to data integration. “Did we exclude any important logs?” “Did

we map the data fields correctly?” “How do we ignore duplicate events from multiple logs?” “Was there

no email traffic on Sunday? Or was the mail server down? Should we monitor uptime logs, too?” These are

the routine questions a network security team answers on a regular basis for their SIEM. Time spent on

data integration is time borrowed from detecting more advanced attacks.

Logs Give an Incomplete View of RealityApplications write just enough information in their logs to support diagnostics. They discard the rest to

conserve disk space and to keep the logs legible to humans. Likewise, they tend to write interpretations

of events rather than the contents of the events themselves. Altogether this produces a source of

information that is incomplete and sometimes vague or irrelevant to an incident response investigation,

which usually forces analysts to wrangle data from multiple systems attempting to find out what is truly

happening - a tedious, time consuming process.

Logs and Alerts are Prone to SabotageLogs and alerts are generated by applications, which are vulnerable to exploitation. Consequently, logs

and alerts are vulnerable to exploitation. So, the first thing a smart attacker does upon a successful

breach is to modify the logs to hide the evidence of the breach and any future malicious activity. This

makes logs a dubious source of information when the issue at hand is a truly advanced threat.

HOW NOVETTA CYBER ANALYTICS FILLS A CRITICAL GAP

Due to the above SIEM limitations, analysts frequently encounter situations where queries are needed

that a SIEM simply cannot run and/or a review of raw network packet capture (PCAP) is required to

determine if, for example, an alert is accurate and if so, its true scope and severity. Network-traffic cannot

be corrupted — it is the ground truth and includes all information exchanged between hosts.

Comprehensive Network ViewWith strategically placed sensors providing a comprehensive network view, and with its core being a

single columnar ‘table’ of observed network traffic, Novetta Cyber Analytics answers complex, relevant

queries extremely rapidly and completely, allowing an analyst to, for example, quickly find all sessions

and hosts related to a particular threat or alert, immediately drill into the directly related PCAP, pivot

3SIEM • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com

and search through more remotely related PCAP, and then repeat. The rapidity of this iterative process

provides an analyst with the ability to quickly come to a comprehensive and confident answer as to the

criticality and scope of a particular alert.

Rapid, Streamlined Alert InvestigationsThe alert investigation process is very streamlined for any SIEM console that can access the Novetta Cyber

Analytics APIs: Once the analyst receives a correlated SIEM alert, or perhaps even a signature‐based DPI

alert from their Security Analytics solution coming through to their SIEM console, they simply right‐click

on their menu to launch a Novetta Cyber Analytics query for associated information and traffic, and the

query will be returned in seconds. The information and traffic provided to the analyst includes detailed

information such as IP addresses, domain names and owners, blacklist membership, geography, and more.

The analyst can then use the Novetta Cyber Analytics “View Contents” feature to instantly preview the

first 10KB of the associated payload data in the packet capture. Should the analyst find malware or other

interesting data they can instantly retrieve the full packet capture as seen on the wire. This enables them

to perform traffic replay, session reconstruction, malware extraction, and other forensic activities — or

pivot to other searches.

4SIEM • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com

A view of how Novetta Cyber Analytics fits into a typical security shop’s workflows.*For explanations of these powerful queries, please see the doc: The Top 10 Built-in Investigative Analytics: Examples of how this solution is used and why it’s so powerful.

5SIEM • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com

By combining the data associated with any alert with a comprehensive, rapidly searchable view of

network traffic, analysts now have access to all the information they need to rapidly triage correlated,

behavioral, and signature based alerts.

Fast and Complete Incident Response and ForensicsOnce an analyst has determined the full extent of a threat using Novetta Cyber Analytics, they can quickly

export key packet capture to a traffic analysis (such as Wireshark) or forensics tool for deeper analysis

and traffic replay. In this fashion, the deep dive forensics tool is leveraged for its key capability after a

subset of network traffic has been identified. This enhanced workflow serves to dramatically accelerate

the operational tempo of analysts. They can now quickly start at a SIEM’s console alert, attain situational

awareness, identify threats, get visibility of raw packet capture, and perform deep dive analysis — all

dramatically faster than without Novetta Cyber Analytics.

IMPROVED POSTURE PLUS A LESSENED NEED FOR ANALYSTS

Novetta Cyber Analytics allows security shops to rapidly triage their SIEM’s alerts while concurrently

tightening their SIEM alerting thresholds and lessening reliance on ever more complex automated

correlations, which, of course, require more and more time consuming data integration efforts. By

enabling SIEMs to move closer to their original purpose — the simple aggregation and correlation

of alerts from multiple perimeter defense tools — the combination frees security teams, even Tier 1

analysts, to spend far more time understanding their network and proactively hunting intruders versus

reacting to mostly false positive alerts and/or spending the copious time needed to wrangle data from

multiple systems. Cyber security shops that have deployed this combination have found that their

overall cybersecurity posture has immeasurably improved, while concurrently lessening their need for

hard-to-find cyber security workers.

CONCLUSION

Organizations that make use of both a SIEM and Novetta Cyber Analytics create a powerful combination

that empowers analysts and their entire teams to achieve far greater visibility and awareness and

substantially accelerate their operational tempo as they explore their networks, investigate specific

alerts and incidents, and perform forensic activities. A SIEM plus Novetta Cyber Analytics makes security

teams far more efficient and effective, and because of this, the combination makes a security team’s

management chain far more confident in their overall cybersecurity efforts.