The engine to fight smarter in cyber warfare

As organizations seek to drastically improve their security posture by taking advantage of the latest tools in security analytics, they inevitably face challenges such as the lack of in-house expertise and processing requirements to find threats hidden in overwhelming amounts of raw data.

Their struggle creates an urgent need for more innovative approaches that focus on specific areas of the network while minimizing exposure to threats – finding the needle in the haystack when it comes to threat mitigation but a needle with context.

This won’t be easy. Ian Farquhar, Distinguished Sales Engineer at Gigamon, points out the 2011 hacking incident at RSA where hackers leveraged a then unknown flaw in Adobe’s Flash software to install a backdoor. “The [malware] code was compiled six hours before it entered RSA’s network and they never ever use the code again,” he says.

Cyber defenders faced with zero-day, customized attacks that have evolved to evade detection, now monitor their environment for anomalies and deviations from normal conditions. However, “these [analytics] approaches are slow,” Farquhar warns. “We have the network that is going faster. We have tools that are going faster but not as [quickly as the growth in data] and we’ve got algorithms that are much slower. Security analytics is great at catching problems and all the attacks over a long period of time but the amount of data to be analyzed is huge.”

For this reason, Gigamon is heavily committed to metadata abstraction, which enables tools to run analytics with a manageable amount of data for timely threat intelligence. This is critical for cyber defenders operating on an assumption of compromise. Not only has the best laid defenses failed time and again to stop increasingly sophisticated attacks, but people have also proven to be the weakest link in the fight against cyber attacks.

“Part of the problem is that most of the security tools aren’t keeping up with real networks,” Farquhar explains. “Metadata fits perfectly in a threat feed environment because by correlating metadata with threat feed, we actually turn raw data into actionable intelligence.”

This is how Gigamon’s Metadata Engine – a key pillar of the company’s Security Delivery Platform – makes existing and planned security infrastructures more effective and efficient. By identifying and mitigating threats inside networks, organizations can feed the right information to the right tool at the right time.

Treasure in the network

Amid the deluge of log data generated by switches, routers, host servers, and other forms of data flowing through enterprise networks, the difficulty in security analytics is identifying the event sources.

“What if we could generate a lot of interesting data from the network itself,” Farquhar suggests. “One of the best sources of information when doing security analytics is our DNS server. What if instead we generated data off the wire rather than turning on DNS logging? What if instead we grab data from the wire and just harvest all the URLs? The challenge with doing that is that it must run fast. We can do that on hardware and get a better view, and it’s a lot less disruptive.”

The Gigamon Metadata Engine essentially does that – generating metadata from network traffic and feeding that to security and analytics systems.

An organization could store both full packet data and the extracted metadata. Network traffic for a defined period of time is stored to provide the ability for full traffic replay. Metadata, which typically represents between 1% and 9% of the total traffic data stored, covers only the protocols that are most relevant to security incidents, such as DNS requests, URLs, and SSL/TLS sessions.

“The two types of data have different uses,” Farquhar explains. “The full packet data is really about forensics and recovery. The metadata is used to detect the low and slow malware attacks – those that take months. Because we extracted the metadata and we have a data buffer [pointing to the metadata entries], we could go back into the data and look at what had happened historically, wind forward to understand when and how it happened, and do the forensics around that information. The hard part is actually contextualizing the data. Once you get enough data, determining anomalies actually becomes very practical and scalable.”

Malware detection is a major use case of the Gigamon Metadata Engine. And this task is getting harder as cybercriminals begin using social media sites as command and control (C&C) servers for their attacks. “When the C&C server channels are encrypted with TLS, you can’t tell the difference between a legitimate user and a piece of malware,” says Farquhar.

Nowhere to hide

But inside the network and away from the perimeter, malware is much easier to spot as it moves laterally from system to system and generates more data as the malware owner runs port scans to map the environment. “That’s where you actually see them blundering around – not at the edge but in the core,” Farquhar adds.

Strikingly, even if a session going to a social media site is encrypted, the Gigamon SDP can expedite anomaly detection by monitoring SSL certificate exchanges and providing metadata that includes indicators of potentially falsified certificates.

“Every SSL session has a server certificate that tells us who the server claims to be, what organization it claims to be from and which certificate authority attests to that,” says Farquhar. “When you see weird stuff happening, you can’t see the data but you can still see the certificate. If you see certificates that don’t make sense, that’s an indication of a compromise.”

Certificate metadata lets Gigamon, together with its ecosystem partners in the security analytics and SIEM markets, to leverage the network to shorten the time to detection and response. More than that, Gigamon provides a smarter approach to security, leveraging the Metadata Engine to provide network traffic metadata of highest fidelity so that security tool vendors can focus on finding potentially malicious web servers and unwanted SSL traffic.

This is a QuestexAsia feature commissioned by Gigamon.