Provider Profiles: Network Visibility

Who’s on your network? What’s on your network? These questions never change, but the ways we get to meaningful answers are always evolving. Providers of network visibility solutions are constantly upgrading their capabilities to detect threats and enable rapid, effective responses to network security incidents.

Plixer: Speeding Up SoC Reaction with Enriched Context

Plixer focuses on network traffic analytics. Their approach is to gather metadata from existing infrastructure elements like switches and firewalls. “Metadata can tell you a lot about possible attacks, if you know how to look at it,” explained Bob Noel, VP of Marketing and Strategic Partnerships at Plixer. Their solution takes in data from layers 2 to 7 of the network stack. “The key is to be selective and focused enough in the analysis of the metadata that you’re creating rich context, not more noise, for the security analyst.”

Bob Noel, VP of Marketing and Strategic Partnerships at Plixer

The problem, according to Noel, as well as many other network security experts, is the lack of context provided to the SOC analyst. “You can find anomalies in the network and issue alerts, but if the alert arrives simply with a time stamp and an IP address, there’s too much work for the analyst to do. He or she has to understand the problem well enough to respond—or not respond, which is sometimes the better choice when it’s a minor thing and time is limited.”

Context means knowing things like usernames, databases and URIs associated with the alert. It means understanding if the alert matches other alerts having to do with suspicious activity like data exfiltration and so forth. The Plixer solution gives the SOC the ability to filter data points associated with the alert. From this capability, the analyst can quickly establish context and make a judgement about the severity of the alert and whether it needs to be escalated.

“Metadata can tell you a lot about possible attacks, if you know how to look at it.”

From a policy perspective, Plixer can identify if a policy is being enforced. Using meta data analysis, Plixer can examine things like actual (vs. theoretical) user access privileges, secure transaction flow and more. “We can proactively audit controls and policies,” Noel said.

Gigamon: Reversing the Asymmetry of Network Attacks

Shehzad Merchant, CTO of Gigamon, sees the asymmetry of network attacks as one of the most serious issues facing CISOs. “If you only have to be wrong once, you’re going to have some pretty serious problems,” he said. “The challenge is to overcome the asymmetry and make it so the attacker cannot exploit that inevitable undetected vulnerability.”

Shehzad Merchant, CTO of Gigamon

How to do this? For Merchant, it’s about developing an effective security architecture. This is a broad concept, but it involves first establishing a focus on truly critical assets. “Defend best where you need to defend the most,” he said. “This is an idea that gets a lot of lip service in the industry. It’s not a new idea, but it’s no less serious. It’s an absolute requirement for robust security.”

With the key assets in mind, then it’s a matter of tooling and organizational practices. The security architecture should reflect the organization’s culture and capabilities. “This may involve some episodes of brutal honesty with people, but you know, it’s better to have some ruffled feathers today than a massive breach tomorrow.”

From there, Merchant advised, “You want the defender to have just one footprint used for detecting the attacker. Too many tools and organizational disconnections enable the attacker to exploit vulnerabilities too easily.” And, he observed, you have to maintain this unified vigilance across cloud and on-premises data assets.

“Assume compromise,” Merchant advised.

“Assume compromise,” Merchant advised. “You cannot assume you can keep attackers out. However, if you know what to look for, having the attacker inside the network can help you. Do forensics all the time. Watch what the attackers are doing. Look at their queries and breadcrumbs. They can tell you a lot.”

The work is never done. For Merchant, the advent of 100 gig networks is concerning. “Now, you have a packet coming every 6 or 7 nanoseconds. In that moment, you have to identity malicious data. This is not easy. Yet, as we have seen so many times, once the industry has identified a problem, we will solve it.”

Active Countermeasures: Detecting the Attacker’s Command and Control

Active Countermeasures approaches security by focusing on the attacker’s command and control activities. The self-funded company offers AI-Hunter, a product that looks for compromised systems by detecting the attacker’s communications on the network.

Chris Brenton, Co-founder of Active Countermeasures

“I don’t care how sophisticated the attacker is,” said Chris Brenton, Co-founder. “At some point, the malware, or whatever it is, has to ‘call home.’ That’s what we’re looking for—the malicious actor’s command and control system.” From Brenton’s perspective, too many cyber security efforts concentrate on outward-facing defenses, which tend to not work consistently. And, as he pointed out, if you’re looking for compromised systems and devices, you may not find anything.

“You can watch a device, but if the attacker knows what he or she is doing, there won’t be any logs or even any code to find. The network, though, is the great equalizer. You can’t hide network traffic. You can make it look different, but it can still be spotted.” Spotting suspicious traffic, of course, is a lot easier said than done. That is what AI-Hunter is designed to do.

“You can watch a device, but if the attacker knows what he or she is doing, there won’t be any logs or even any code to find.”

“We’re all drowning in false positives,” Brenton observed. “The challenge is to teach the tool to avoid something like an odd SSL connection, for example. But, what if you see a beacon signal, a self-signed digital certificate? These sorts of thing should trigger your interest.” That’s role of the rule-based AI-Hunter.

Network visibility is a never-ending, evolving challenge. Providers are constantly improving their capabilities to keep up with increasingly sophisticated attackers. However, as Brenton said, attackers must always use the network on their way in or out of the target. The burden on Security Operations teams is to detect and respond before the damage is done.

Photo Credit: Herkie Flickr via Compfight cc