A recently published report from the SANS Institute highlighted the growing value of network-derived data for enterprise cybersecurity teams tasked with protecting increasingly distributed corporate infrastructures. Entitled “Advance Your Security Posture with Comprehensive Network Visibility,” the paper revealed a trend toward leveraging network traffic data to improve the overall cybersecurity posture of the world’s largest businesses and governmental organizations.
“Organizations are looking to gain deeper visibility across the entire infrastructure (cloud and on-premises) for operational and security reasons. Additionally, security teams are looking to reduce the time it takes to detect, investigate, and remediate cyber and/or other IT threats, with the ultimate business goal of reducing IT risk,” noted the report, which went on to list several factors that illustrate the value of collecting and analyzing network information for security analytics, including the following:
The unique nature of the network. The network (data, traffic, and packets) itself cannot be evaded—traffic must flow across it. Moreover, it is extremely difficult to manipulate. And because it is always on, it provides a constant flow of network information. And that data can’t be deleted or modified.
An environment view. Network data can reveal patterns of behavior across multiple systems, giving security the ability to see across an ecosystem rather than discreet systems. Network data provides the capability to focus on strategic points in the network for maximum visibility—security operations teams can use metadata and, ultimately, packets for contextual investigations, remediations, and policy updates.
The value of network metadata. Although many traditional security approaches tend to emphasize full packet data, large environments with significant traffic are also realizing significant benefits of network metadata. Analyses of both packets and metadata will prove invaluable in building a comprehensive network monitoring function that emphasizes behaviors and potentially highlights attacker dwell time.
Data lakes will also bloat and suffer from significant storage needs.
The average time to identify and contain a breach (its dwell time or “lifecycle”) was 280 days, according to a 2020 study from the Ponemon Institute. The lifecycle of a breach factors heavily into the overall cost.
Source: Cost of a Data Breach Report, Ponemon Institut
Technologies that gather both metadata and packets. Modern solutions use high-speed capture mechanisms, compression, network traffic enhancement, and analytics techniques to provide longer-term network packet and metadata retention. Together, these improved methodologies immediately provide much more comprehensive visibility and retroactive analysis capabilities to security operations center (SOC) analysts who may need during an investigation to go back weeks or even months to determine what types of events occurred. Additionally, solutions that provide both full packet data and network metadata will prove much more valuable over time.
Smarter Analysis via Metadata
Tier 1 analysts can quickly begin investigations by using metadata and behavioral patterns of traffic flow, escalating results to tier 2 or 3 analysts, who may then analyze full packets for more detailed evidence collection that helps solidify criticality of events, priorities, root cause, and more. This offers organizations with time-constrained SOC teams the best of both worlds: All analysts can immediately use data available to process and advance evidence with investigative workflows.
To comprehensively analyze network packets, the industry needs analysis of raw network traffic to be smarter and more contextual. Turning raw packets into useful network metadata requires traditional attributes such as source and destination ports and addresses, device types communicating, applications and services in use (including browsers and others), and application- or service-specific information (for example, DNS requests). These data sources and types, taken and analyzed in tandem, can significantly facilitate security operations such as threat hunting, intrusion detection, and network forensics.
In addition to these capabilities, the tools will need to be both robust enough to gather and store network metadata and packets and easier to use and manage, because security and cloud operations teams are already stretched thin.
Learn more about advanced threat analytics and response.