The Reveal Platform
Adversaries who are determined to get to an organization’s digital assets are tenacious in their attempts to penetrate the target network. With resourcefulness and perseverance, attackers can overcome legacy defenses to get a foothold on the network. Once there, assets are at high risk. It’s a race against time to weed-out attackers’ actions from the massive data generated by an organization’s borderless network. This needs an unconventional approach which leverages advanced machine learning techniques to analyze this high frequency data and identify risky anomalous behavior in the network.
The war on cyber threats grows more complicated every day. The organization that is fully committed to protecting its network will have a multifaceted approach that includes both prevention and detection methodologies. What’s more, both network operations (NetOps) and security operations (SecOps) teams must utilize the available tools at their disposal to fight the good fight. They are expected to win against nonstop attacks every second of every day securing their organization’s reputation.
The NetOps team will have first access to this data the moment it comes on the network, with the ability to track further activity over time. The question is, how can network traffic be assessed in real-time to determine if it is truly a threat or if it is merely benign traffic?
Among the typical network security tools deployed today are advanced firewalls, intrusion detection/prevention systems, anti-virus/anti-malware, and gateways. They are all good solutions – important and necessary – but they are point solutions which operate in isolation of other tools. They lack the ability to link events and flows across different networks, systems, end-point devices, accounts and users to build context and provide end-to-end flow visibility. Even more concerning is that these tools are primarily dependent on using signatures or rules to evaluate possible threats, meaning that only “known” or anticipated threats can be detected. Unknown threats for which there are no signatures or rules can slip right through to the network.
Then, there are network monitoring tools whose purpose is primarily to monitor IT infrastructure to assess the movement and performance of traffic, packets, bandwidth, uptime, ports and the like. These tools are geared to performance monitoring and troubleshooting; i.e., to ensure that everything is working as expected. There are some advanced solutions like Deep Packet Inspection (DPI), which is typically used for data mining, routing and blocking based on the known packet signatures or abnormal patterns. However, aspects of the metadata and alerts generated by these tools can be very useful to a much broader type of threat assessment — one that is based on evaluating deviations in network behavior.
In the pages ahead, we look at network traffic analysis (NTA), also known as network behavior analytics (NBA) or network behavior anomaly detection (NBAD). Network traffic analysis provides deep visibility into unknown and undetected threats based on the risky abnormal behavior on an enterprise network. NetOps team can use this type of tool to prioritize investigations and response actions based on the risk ranking.
NetOps professionals are most familiar with the discipline of network analytics, which involves the analysis of network traffic and statistics to identify trends and patterns in network operations. The operators then act on what they have learned from the data. For example, if a network operator finds that there is a congestion problem in a certain area of the of the network, traffic can be routed through a different part of the network to meet service performance objectives.
Network traffic analysis (NTA) also uses network traffic and advanced analytical techniques, but for an entirely different purpose: to monitor for indications of a security threat. NTA focuses on network behavior patterns attributed to all the entities (i.e., machine ids, IP addresses, etc.) associated with the network. The system also can monitor and build behavior baselines using various attributes such as source IP address, destination IP address, source port, destination port, TCP flags, bytes-in, bytes-out, etc. Once the baselines are created, all new activity of each entity is compared to its baseline to determine if the current activity relatively conforms or deviates from the historical norm. Behavior that deviates from an entity’s own baseline is then evaluated for its degree of risk. If the risk appears to be high, the NTA system can raise an alert to a dashboard being monitored by network operators.
Network traffic analysis is particularly good for spotting new, unknown malware, zero-day exploits, and attacks that are slow to develop, as well as for identifying rogue behavior by network insiders (or those who are using a legitimate insider’s credentials). This approach is also helpful when the threat traffic is encrypted, such as the command and control (C&C) channel for certain botnets.
Suppose an endpoint has become infected with new malware for which there is no signature. The antivirus and anti-malware tools have not been updated to catch this malware. Once on the endpoint machine, the malware ultimately results in changing the normal behavior of the device. The NTA system can detect the anomaly, raise it as suspicious behavior, and if directed to do so, trigger a mitigation action such as blocking communication activity for that IP address until further investigation — all in real-time or near real-time.
Network traffic analysis is not a new type of solution; proponents have been talking about it for at least a decade. What is new in this next generation of solutions is the use of advanced technologies like Big Data and machine learning that make NTA much more powerful and accurate in quickly and automatically detecting anomalous network traffic patterns.
“Packet-level data provides the underpinning of intelligence needed to understand the impact of business change on all parts of the infrastructure.”
– CSO Online
– Overcoming the Barriers to Digital Transformation
Gurucul has tailored its Network Traffic Analysis product to focus on identifying unknown network threats using advanced machine learning algorithms on network traffic and packet data. Gurucul NTA provides prepackaged machine learning models which are pre-configured and tuned to run on high frequency network data streams to detect real-time anomalies and risk ranked threats.
In addition to network data, Gurucul can also ingest and link application and platform logs, security alerts, DHCP, CMDB data, vulnerability assessment reports, threat intelligence and access control data to build rich context. This provides end-to-end visibility and trace of the anomalous behavior kill-chain from across the network.
This contextual linked data and extensive library of out-of-the-box behavior and threat models help identify advanced and unknown threats like zero-day exploits, fileless malware, and ransomware. This is achieved by detecting unusual behavior on a given entity (e.g. server, IP, device), any related lateral movement within the network, command and control (C2) communication, suspicious account activity from a compromised account, as well as access misuse. The platform supports real-time data processing and analytics to quickly detect such threats at near real-time as well as uncover APT / Stealth attacks which lay dormant between various stages of an attack.
For instance, if a host belonging to the database administrator shows indications of suspicious outbound 2 traffic as well as lateral movement across a range of hosts not seen before, Gurucul NTA will immediately flag such risky abnormal behavior. The solution can be configured to trigger automated risk response to isolate the host from the production network, or allow the NetOps team to take preventive actions before the compromise.
With the expansion of IoT and mobility in the borderless enterprise environment, one of the top threats has been the unauthorized use of non-registered devices, and WiFi/IoT networks, to gain access to enterprise networks. The Gurucul NTA solution also discovers and reports any unknown or unseen devices on the network. It closely monitors all activities from such devices with higher resident risk score.
NetOps and SecOps users can further customize existing machine learning models or deploy their own from templates offered out of the box. These models are highly flexible and allow users to run analytics on a wide variety of attributes including IP addresses, ports, byte size, etc. Custom models are especially useful to track activity from non-traditional hosts such as CCTVs, PoS terminals and IoT devices. With an increasing number of Robotic Process Automations, bots and scripts on the prowl, accounting for and reducing the attack surface for what could be weak links in the network becomes imperative to ensure the overall health of the environment. There exist very few inherent means of securing these devices, and Gurucul Network Traffic Analysis can serve as a valuable alerting tool to preempt any malicious activity.
A side benefit is that network behavior analytics also can identify unregistered devices, network policy violations and network misconfigurations that result in higher risk.
Gurucul Network Traffic Analysis supports a wide variety of networking data from various sources out-of-the-box including but not limited to NetFlow, firewall, Packet Capture (PCAP), IDS/IPS, DHCP, DNS, as well as other data formats like CEF, csv, tsv, syslog, json and xml. Moreover, the solution leverages a native threat intelligence feed that delivers insights on known bad actors, and also supports integration with external feed sources.
“NTA identifies threats proactively by searching for abnormal user and network usage behavior..”
– TechGenix,
A Guide to Network Traffic Monitoring Tools
One of the biggest pain points of most network and security analytics solutions is their inability to conclusively tie data generated by disparate sources including application / platform event logs, network flows, HR user profiles and access entitlements. Gurucul solves this problem by defining unique identities (users and/or entities) and linking all the data elements to those identities using linking algorithms or patterns. Gurucul combines identity and network-based alerting to give the SecOps and NetOps teams an end-to-end picture of the incident, enabling them to answer essential questions such as:
Gurucul’s machine learning algorithms have the ability to leverage user feedback from incidents to tune and improve response to similar incidents in the future. When models flag high-risk incidents, a case is opened for investigation. Once the investigation is complete, an analyst may “Close the case” or “Close as Risk Managed” and provide inputs for model configuration changes. This feedback loop greatly enhances the model’s efficacy delivering further crisp and actionable insights.
Gurucul supports API based integration with external security solutions to enforce corrective or preventive response actions based on risk score, type of anomaly, device category, etc. Such actions can be automated in order to mitigate risks at real-time or near real-time. For example, Gurucul can leverage NAC APIs to generate requests that restrict network access of infected devices to limit lateral movement.
The Gurucul Network Traffic Analysis product has some significant characteristics and capabilities that distinguish this solution from others.
Gurucul’s Big Data architecture is built to ingest and analyze high volume transactional data — both structured and unstructured. This not only allows for quicker searching, but also faster analytics and longer data retention for e-discovery and forensics. It’s an open choice as to which data lake to use — Hadoop, Cloudera, Hortonworks, etc. The customer can choose a preferred or existing Big Data product, or use Gurucul’s Hadoop data lake for free.
Gurucul has a metadata-driven data format, which allows the system to map to any data source – online or offline, internal or external, on-premise or in the cloud – to pull information into the data lake, regardless of the format of the data. The more data sources and the more data ingested, the better, as this broadens the view of the activities and behaviors by putting them in context and increases the learning ability of the machine learning engine.
Siloed data sources often allude to the same user or machine but vary in data formats, naming conventions and schemas. These may constitute added suffixes, prefixes or foreign keys to link user to entity data. Gurucul has the built-in capability to link such data from disparate sources before or after they are imported. Linkage is on the basis of identity; for example, an IP address or a specific user. Every data record will be associated in some way to a specific identity, and this helps to build a baseline of behavior and activity for that identity.
Gurucul’s data analytics engine uses machine learning rather than rules, which allows the system to find anomalies without having to anticipate and define parameters for them in advance. The machine learning engine is built on top of more than 4000+ data models (algorithms) out-of-the-box – some of which are industry specific – and customers have the capability to fine tune the existing models and to create their own models that are specific to their own use cases.
Another way that Gurucul evaluates risk is to compare one user’s or entity’s behavior to that of his or its peer group. For example, a particular endpoint might be communicating with an unknown external IP address. This behavior is suspicious but perhaps not enough to declare it to be high-risk activity. An analyst can check to see if other devices belonging to that same workgroup are also reaching out to the same IP address. If so, then perhaps there is a legitimate business reason for this communication. If not, then it might appear that the endpoint is infected and is communicating with a C&C server. Peer group assessment is one more way of evaluating risk.
The war on cyber threats grows more complicated every day, especially as the attack surface grows to accommodate cloud computing, the IoT, and BYOD connections. NetOps and SecOps teams need every advantage in detecting and responding to threats as early as possible. Network Traffic Analysis is a highly effective means to quickly identify suspicious or risky activity on a network. NTA uses data that NetOps team are already collecting, so there is low overhead to deploying this solution. Network traffic analysis is the next-generation defense against modern threats.
Gurucul’s Next-Gen SIEM leverages AI-driven data pipeline management to normalize, enrich, and analyze third party telemetry—reducing risk while increasing insight.
