Security teams that want to coordinate operations workflow processes often evaluate SIEMs. However, the problem with SIEMs is that they rely mostly on logs which doesn’t provide analysts with an easy or clear view into unknown threats, or into weaknesses on their networks. On top of that, most legacy SIEM technology are challenged with retention of information for any meaningful period of time..
A big help to analysts would be correlating those logs with full-fidelity PCAP, and for time periods that exceed breach detection windows. In fact, the desire to keep forensic information longer is quite clear.
Over 40% of our participants of our webinar “When a SIEM Alone is No Longer Sufficient” wanted to keep forensic information for between three and six months, and nearly another 40% expressed an interest in keeping information for longer than 6 months.
These savvy security pros know network traffic never lies, and should be their single source of truth. While some SIEMs use PCAPs, they can only perform the most basic analysis on that data when rules trigger a detection.
Network security needs to lean forward into a modern approach that provides clarity through advanced analysis techniques on PCAP data. With more and better analysis on PCAP data kept for time periods longer than breach detection windows, organizations can reduce attack dwell time to lessen or quash the ill effects of an attack.
If your organization doesn’t have a SIEM, or if it’s on the fence about which vendor to choose, a great way to get started is to implement an ELK stack. ELK stands for Elasticsearch, Logstash, and Kibana - a trio of open-source software that can give you the same features and functionality as a SIEM.
Integration of ELK with The ProtectWise Grid has many benefits. It provides a more intuitive UI, and allows analysts to pivot easily between Kibana’s interface and ProtectWise with a single click. It provides advanced search capabilities about detected events and threat observations, and packet-level visibility for Logstash events that are correlated to ProtectWise events. It also gives analysts complete network-level context about these events so they can make more informed decisions more quickly.
After you’ve implemented ELK, getting started with ProtectWise is easy. Just install the ProtectWise emitter on your Logstash server, configure the emitter to save event and observation messages to a JSON file, configure Logstash to ingest and parse the file, and import the ProtectWise JSON objects into Kibana. That’s it!
But the proof is in the pudding when the rubber meets the road. Our webinar guest Dean Liu, Senior Security Engineer at Pandora and his team have been using ProtectWise and ELK (Elasticsearch, Logstash, Kibana) to optimize Pandora’s security workflows for the last two years.
Since then, the integration has helped Pandora detect phishing attempts, and has even detected the presence of XcodeGhost malware through retrospective analysis of stored PCAP data. It’s provided additional visibility to their environment, enhanced productivity of their security team by reducing false positives.
His team has also been pleased with how The ProtectWise Grid interface provides easy access to PCAPs, eliminating the need to use WIreShark, along with ProtectWise’s well-documented APIs which helped make integration fast and easy.
If you weren’t able to join us, you can watch a replay of our webinar today to learn why a modern approach to security is needed, how The ProtectWise Grid can help through integration with your SIEM or ELK stack.
Next blog post