We live in an era where the defensive capabilities of traditional security tools have been eclipsed by the capabilities of modern attackers. Major breaches are consistently occurring in the networks of even the most technically savvy enterprises, including the national defense and the most righteous security vendors. Over the years, network security teams have demanded “set it and forget it” tools to block potential threats based on signatures and behaviors. In this environment however, those tools are providing a false sense of security, and as we have seen all too often, sole reliance on more and better prevention-based tool sets is not preventing high-profile organizations from being attacked.
What today’s enterprises need is an active, responsive, and integrated approach to network security. We call it ‘Security Intelligence and Analytics (SIA)’. The way Web Analytics tells marketers what to look for in order to sell more, SIA tells security administrators what is suspicious and potentially threatening to the integrity of their valuable data.
To combat today’s sophisticated attacks, administrators and incident responders require the best equipment and the deepest visibility into the activities, applications, and personas on their network. They need the ability to react quickly to events in real time within the full context of the event, because the stakes, whether reputation, financial loss, or market cap exposure are too high. Every second matters. The difference between “set it and forget it” and the active response approach is data. SIA can make sense of the data and provide actionable evidence on how to defend your network.
Importantly, SIA is more than just data and analysis; it’s also the ability for all your security tools to work together in concert, to share data, and to enable the team to defend the network quickly and decisively. Despite the allure of purchasing every security tool from the same vendor, in a world where almost 8,000 malware signatures are created EVERY DAY, enterprises must rely on the innovative technologies that address today’s ever-evolving threat landscape. When assessing security products and services, security teams should think in terms of best-of-breed integration to deliver end-to-end threat detection, analysis, and containment.
For years, security teams have been capturing and analyzing packets traversing the network with tools like tcpdump and Wireshark. Experienced practitioners are able to pull details of events out of the network-level data. However, there are a limited number of teams with the technical ability to use packet capture effectively. Moreover, the performance and scalability challenges kept the use of this technique limited.
Network forensics evolved from packet capture to make all network data flows instantly visible and re-playable, empowering users to access historical data quickly and efficiently. Combining high-speed data capture, application classification and metadata extraction, indexed storage and analysis tools, active network forensics is like putting a security camera on your network.
Security Intelligence and Analytics
Security Intelligence and Analytics takes network forensics beyond captured and indexed network data into an environment where analysts can work across best-of-breed tools and have their difficult security questions answered using application-layer attributes. SIA integrates Security Information Event Management (SIEM), Log Management, Intrusion Detection Systems (IDS), Data Loss Prevention (DLP), Deep Packet Inspection, and advanced malware detection tools into the single workflow necessary to combat today’s threats.
Security Intelligence and Analytics addresses the following needs:
Root Cause Analysis – Solera DeepSee gives you the ability to go back in time from any security event to find the root cause. Also called the “t-minus zero” analysis, it fills the hole that is often left by traditional IPS/IDS, DLP, and Malware devices, where only metadata and log analysis are available. However, when coupled with a full forensic record of the packets, flows, files and any other artifacts, security analysis can not only tell when something happened, but identify what it was, and how it got into the network. Having full context at the packet-level gives users the ability to shorten the time it takes to resolve the incident and minimizes the scope of current and future potential breaches. Solera DeepSee can help you find and close the initial vulnerability to make your network more secure.
Outbreak/Pathway Analysis – Sometimes called the “t-plus zero analysis” this type of analysis goes forward in time from any security trigger to discover the full scope of the event. Again, since traditional security tools can only trigger alerts based on a specific moment in time, Solera DeepSee is required in order to discover everywhere the event has traveled in your network so you can remediate.
Application Discovery – It’s important to discover the use of any suspicious applications on the network. However, traditional firewalls can’t block packets based on an Application ID, so rogue applications find open ports and exploit them. While next generation firewalls offer some promise in this area, they are not yet widely deployed.
Solera DeepSee can currently identify 900+ different applications, 28 different application families along with thousands of metadata attributes, and continues to evolve with each release.
Data Leakage Discovery – Data Loss Prevention (DLP) systems are designed to find specific fingerprints of lost data, but they are notoriously inaccurate. Many customers are alerted to the loss of data, but they have no record of what happened. Solera Universal Connector integrates with the most popular DLP software to coordinate an alert with the context behind the loss.
Insider Threat Analysis – Typically when an inside user is suspected of wrongdoing, it’s nearly impossible to go back in time and get the full record of their activity. However, Solera Active Reporting lets investigators know in real-time everything that happens with a specific employee, such as the use of suspicious applications, URLs, email subject lines, etc.
Acceptable Use Policy/Human Resources
Peer-to-Peer Content Download – Companies continue to struggle with acceptable use of their networks. Many receive Digital Millennium Copyright Act (DMCA) violation notices, spending considerable time and effort determining whether the notice is valid and who in their company was responsible for the illegal download(s). Regardless of the difficulty in producing delivering evidence, a company is required to take action in order to avoid legal consequences. Granted, Web filtering technology can block certain content sites, but new sites pop up every day. Only Solera DeepSee provides definitive proof that an employee has violated your Acceptable Use Policy, providing you with both the content and the user information, so you can solve the problem efficiently and in a timely manner.
Inappropriate Content Discovery – Your company may have an Acceptable Use Policy prohibiting users from downloading inappropriate content, but catching employees violating this policy can be difficult. Web filtering technology is often woefully inadequate, but Solera Networks provides the definitive proof you need to take swift action with the employee. With clear evidence, employees will often strictly align with policies and you are able to avoid costly expenses of termination and re-hiring, let alone legal action.
Replay Traffic to Updated Signatures – As part of any good remediation practice, your organization should make sure you’re protected from future exploits. When you update your Next-generation Firewall, Intrusion Detection or Prevention Signatures (IDS/IPS), or other blocking tools, Solera DeepSee can play back traffic at high rates to provide assurance that updated signatures would have caught a prior intrusion.
Compliance Reporting/Proving the Negative – One of the hallmarks of sophisticated and persistent threats is a “low and slow” approach. These advanced targeted attacks make it very difficult to ensure that the malware that was used for the attack is completely removed from the network. In fact, the only way to determine that a previous outbreak is entirely off the network is through network monitoring. Solera DeepSee Actions, Alerts and View Filters can help you continuously monitor the network to verify that previously eradicated malware is no longer present.