A day in the life of a security analyst can feel like an interrogation under a hot lamp. You are hit with a lot of hard questions and the answer "I don't know" just raises the heat. Answering these questions requires finding a needle in a haystack that is surrounded by other haystacks, all of which are in a burning barn. That may sound a bit extreme, but it illustrates what it can feel like to resolve an incident with commonly used security architecture solutions today.
As an analyst who has investigated intrusions on large, complex networks ranging from Fortune 500 companies to the Department of Defense, I understand all too well how difficult and painful it can be to quickly answer the critical questions surrounding a compromise. Did any hosts communicate with a particular IP or Domain? If so, what were the nature of these connections? Did data theft occur? If so, what data was lost? These questions sound simple, but the difficulty in answering them grows with the size of the network and the investigation timeframe.
For example, take the IP question--did any hosts communicate with a particular IP? To answer this you will need archived netflow and a way to search it quickly. This is no simple task. What happens if you need to search netflow for the last six months across five different sites for multiple IPs? Once you have the data, do you find yourself just crossing your fingers while waiting for an endless grep command to return? Even if grep and finger crossing work, how do you go about determining the nature of the traffic in question?
Ah, the power of PCAP.
Full fidelity PCAP is most often used to provide the answers to the toughest questions. While full PCAP doesn't lie, it is large and traditionally has been expensive to retain. In order to retain full PCAP, most organizations are faced with two options: 1). Rely on an Intrusion Detection System to begin recording PCAP when a signature is tripped; or 2). Pay a high premium to store a few weeks of full PCAP on hardware. The first option saves storage costs but relies on detecting only what you know at a given point in time--which isn't effective against constantly evolving threats and zero-days. The second option gives you the evidence you need, but puts limitations on the length of the retention window due to hardware constraints. And it will require time and work to piece together information from disparate endpoint solutions.
Suppose you answered the IP question and you found the PCAP corresponding to the flows you wish to inspect. It's time to fire up Wireshark, but in speaking of time, how long did it take to get to the Wireshark moment of truth? Sometimes retrieving the needle from the haystack consists of SSH'ing into many systems and combing through files and directories named after timestamps and MD5 hashes. You found the needle, but this isn't the only needle you need to find today and the barn is still burning.
If this story sounds painfully familiar, let me offer an alternative one that doesn't require blood pressure medication.
One organization using our cloud-based platform, a research laboratory at a major university, needed to answer these same questions after they were notified by a third party of a potential security event. The third party detected IP addresses belonging to the organization in communication with malicious IP addresses that were recently connected to compromises in the industry. The organization needed to verify the existence of communications to the malicious IPs and determine the nature of the communications.
If ProtectWise was not deployed on this network, this task would sound something like the story above. Searching netflow data alone to confirm the connections to the IPs would have taken as long as 24 hours per month searched due to the tools currently available, the size of the data set, and the manner in which the data was stored. Even if the connections were confirmed, there would be no way to report the nature of the connections as there was no PCAP solution. The organization would have faced the unpleasant task of tracking down the internal hosts in question, examining them, and possibly re-imaging as a precaution. This effort alone robs the work hours of both the security team and the workers affected. However, ProtectWise was deployed, and PCAP related to the connections in question was easily and quickly retrieved. Within a matter of minutes the organization was able to prove that connections to the IP addresses were benign. Case closed and in record time.
Scenarios like the one above happen on a daily basis, yet widely used security architectures aren't capable of answering the tough questions with the necessary speed and accuracy. As a result, security and response teams are constantly fighting an uphill battle in order to connect the dots and figure out what has happened on their network. For many organizations, this problem is exacerbated by the fact that skilled cybersecurity professionals are in short supply and high demand. Providing the ability to easily retrieve data doesn't just move the ball forward when it comes to investigating compromises and potential threats, it completely changes the game.
Next blog post