Thursday, November 18, 2010

Cyber security artists need the right tools

It has become evident to me that cyber security is an art, and like any other art, it has artists who need the right tools.
At Qosmos, we work with cyber security teams who protect very sensitive networks. These security analysts typically work in a Security Operations Center (SOC), monitoring traffic and checking for suspicious activity, such as:
  • Services or encrypted traffic on non-standard ports 
  • Referring URI, which can be used to detect Phishing software loading partial content from a real site
  • Many (hundreds) of “IP gets” from black-listed countries
  • Specific malware file names (e.g. shell.exe)
  • Suspicious malformed traffic
Best practice cyber security filters out known threats with COTS cyber security products (AV, Firewalls, etc.) and focuses investigation and analyst time on 1% suspicious traffic only. So, what tools do the analysts need?
  • Information feeds in the form of logs and traffic metadata
  • Search and analysis capabilities
Logs are the obvious source of information to investigate potential security breaches. But a recent trend is to complement these logs with communications metadata, representing an additional source of real-time information.

Examples of communications metadata which are relevant for cyber security:

The advantages of metadata:
  • Not only do good metadata complement logs, they are also MORE valuable than full packet payloads to identify patterns! As someone said to me: “sometimes, you can’t see the forest (situational awareness) for the trees (packet payloads)”
  • In addition, metadata require less storage than full packet capture which means that historic info can be kept for longer time periods (months) than full packet capture: this means much stronger investigative capabilities.
  • Metadata also enables much faster forensic search, with the ability to search 2TB of data in less than 2 minutes!
  • Finally, metadata can be used to index flows and packet contents
Example of a best-of-breed cyber security tool case
A tool case can be built on Qosmos + Splunk. In this case, Qosmos does the protocol decoding up to Layer 7, providing complete visibility of all network traffic and applications, independently of ports. The extracted protocol metadata is indexed by Splunk in addition to log information. Splunk is then used for search, statistics and GUI.

Example of Searching for Suspicious Network Activity by using Qosmos + Splunk

Let’s give cyber security artists the tools they need to exercise their art!


© 2009 Network Intelligence Technology. All Rights Reserved | Powered by Blogger
Design by psdvibe | Bloggerized By LawnyDesignz