Question 1: What does a security incident look like before it is a security incident?
Answer 1: Network traffic.
What I am trying to highlight here is that because security professionals are mainly looking for security events, and security technologies are focused on attacks and abuse, they miss the predictors in network traffic that lead up to a security incident. The other side of this fact is that the networking team is just monitoring for availability and performance management, so adversaries can get into a network and explore all they want as long as they don’t trigger any of the non-security related events.
We need to close this gap created by the org charts that paint these areas of responsibility as isolated, because the adversaries are exploiting this day in and day out. Let me give you an example just in case you don’t see it yet. Given the amount of stolen credentials on the black market, bad guys can usually buy the access they need to most major networks. Using LinkedIn.com, they identify people who have the access they need, so departments like HR, Legal and Executive Management all come to the foreground.
With your CEO’s credentials in hand, the attack begins, but there are no security events being triggered because according to all the security tools, no attack has taken place yet. The people who would be able to see traffic anomalies would be the networking team, but again, their tools also show that nothing has gone wrong. So how then do you identify this anomalous traffic as a preamble to the security incident?
I can tell you how I do it and you can then do whatever makes sense to you. Lancope’s StealthWatch System can absolutely highlight these Indicators of Compromise in the traffic patterns before, during, and after the security incident. When your CEO’s account does something on the network that is behaviorally abnormal, it’s obvious to the StealthWatch product, but completely invisible to other NetFlow/IPFIX analysis tools. Your routers, switches and wireless access points can all show you that suspicious traffic flows are occurring, but you typically do not have anything doing the security analysis because the security team is waiting for security events and networking people don’t feel that security is their job.
Security teams are using the StealthWatch System to find Indicators of Compromise on their networks. Traffic patterns that are highly suspect are brought to their attention immediately. There are also cases where you learn of something and the StealthWatch System can offer you a retrospective view on network activity related to the involved IP address, user, or other traffic attributes.
The advanced threat will find a way into your network. In fact, chances are they are already in and you just don’t know it yet. Trust me, if you do a proof of concept with the StealthWatch product, there will be that awkward moment when someone will say “Oh my god, is that what I think it is?” – Yup! Ignorance is no longer bliss.
Follow Tim (TK) Keanini on Google+.
TAGS netflow, network security, stealthwatch, lancope, anomaly detection, network visibility, advanced threats