Your Network and Security Teams May Not Be Talking, But Their Technologies Should Be
Today’s IT environment overloads you with information. During an attack, having to slowly comb that information to find the relevant data costs time, money, and customer trust. So how can you make investigation and response faster to reduce risk? We’ll show you how to maximize the value of your infrastructure so you can reduce mitigation time to minutes or seconds.
Detection Alone is not Enough
For decades, the industry has directed you to purchase point security products in the name of prevention and detection. Today’s growing threat surfaces coupled with the sophistication of attacks has led us to a point where breaches are inevitable. Absolute prevention is impossible and detection is only the first step of remediation. To reduce risk to the business, organizations must embrace the need for rich data forensics in support of fast and accurate incident response.line-break
Advanced Security Analytics
IoT, BYOD, and the explosion of virtual machines have created an unmanageable threat surface. Monitoring for anomalous traffic and device behavior with network traffic analytics is the most effective indicator of compromise. Proactive thresholds, alerting, and open RESTful APIs enable rapid and dynamic event response.line-break
Scrutinizer baselines the expected behaviors of end systems and applications. It then incorporates dozens of security algorithms that analyze flow and metadata details, looking for communication patterns and behaviors inconsistent with the baseline. Using NetFlow telemetry, malware that would otherwise fly under the radar is identified and sets off an alarm, triggering an incident response process. Rich forensic data and fast reporting provide the information needed to quickly find root cause and mitigate the risk.line-break
Access to high volumes of disparate data does not lead to faster response. In fact, it can have the opposite effect. The best context and response comes from the correlation of network-related data with metadata from firewalls, IPS, SIEM, and distributed probes, all stitched together into a single database.line-break
As a security professional, risk reduction is job one. Decades of point security products, purchased in the name of prevention, have failed us. Breaches are inevitable. Today, the greatest risk reduction comes from a focus on forensic data and improving time-to-resolution after a breach occurs.line-break
Faster time-to-resolution is accomplished through a faster time-to-know. Remediation can only occur after root cause has been established, and rich contextual data is the enabler. Telemetry data, centrally gathered from across your entire network infrastructure, enables faster time-to-know and faster time-to-resolution.line-break
Historical Big Data Storage
As a tactic to avoid detection, it is common practice for cybercriminals to lay low for days, weeks, months, or longer after they have successfully placed malicious code on your systems. It is common for organizations not to identify a breach until long after it actually occurred. In these cases, historical forensic data is needed to investigate and remediate the infection. Scrutinizer allows organizations to store raw flow and metadata as Big Data for weeks, months, or even decades and, when needed, to retrieve specific forensic details within seconds.line-break
Scrutinizer offers fully customizable reporting which is great for the regulatory audit process as well as day to day monitoring. In an effort to strive toward regulatory compliance, many organizations implement a Control Objectives for Information Related Technologies (COBIT) framework. Although there are many different regulations across many industries, the common factor is that auditors measure organizations against the regulations, often using COBIT as their measuring stick. They look for policies that are defined, consistently enforced, and automated. They also look for proof points demonstrating that these policies are enforced in all circumstances. Compliance reporting is a great way for companies to deliver proof to auditors as well as offer companies the ongoing ability to make sure the policies they think are in place are actually being enforced in practice.line-break
Filter, Watch, Trigger
Flow Analytics™ for Scrutinizer is the only product today that allows you to monitor any element exported in NetFlow and IPFIX, set up extensive ‘include’ and ‘exclude’ filters, set a threshold, and then wait for the event. For example, you can monitor an application for a certain ToS within a class A subnet and trigger for excessive latency or packet loss. You can even set thresholds on the number of events necessary before a notification is triggered. Take full advantage of the details exported in the flows from your hardware regardless of vendor.line-break
Before, During, and After
Flow Analytics™ – Visibility and Reporting Before, During, and After an Attack:
- What were the key indicators used to uncover the infection?
- Where and when was the point of entry?
- Are any other systems exhibiting the same behavior?
- What connections were triggered after the infection?
Before: Flow Analytics™ uses global threat intelligence to strengthen defenses. Out of the box, it monitors and triggers on dozens of indicators of compromise. By themselves, these indicators could easily be dismissed as false positives. Correlation is key.
During: Flow Analytics™ uses the intelligence gained from the indicators of compromise in the correlation process to uncover compromised devices that are trying to exfiltrate proprietary information. Combined with the FlowPro Defender, the system will identify DNS abuse, command and control traffic, and data theft.
After: Inevitably, some infections will evade your first lines of defense. Flow Analytics™ provides a lattice of detection capabilities. It uses proprietary methods combined with globally collected domain reputation lists to determine if advanced, unknown malware evaded front-line defenses. Using the raw flows, you can pinpoint exactly when an end system was compromised, as well as which other systems may have been affected by the malware’s lateral movement through your network.