How To Choose The Right Eyes And Ears For Cybersecurity


Dan Woods, Contributor

October 23, 2013

The modern practice of cyber-security is now powered by data analysis. As a result, the quality of security will be determined by the volume and quality of the data collected about your environment, and the ability to uncover threats.

One fascinating implication is that a raft of technology that can collect and analyze data about a computing environment is now relevant to the practice of security. There are now a huge number of choices of technology that can be the eyes and ears of your cyber security portfolio.

So many of these options are appearing that CIOs and CSOs will clearly have to choose among them. The question I will address in this article is: How can you choose the right eyes and ears that will help make your company safer?

The Anatomical Analogy for Cyber Security

Cyber-security used to be all about locks. The idea was that a firewall would stop those you didn’t like from getting access to stuff they shouldn’t be able to see. Other systems for intrusion detection arose that would alert you when someone was poking around.

Anti-virus software running on your PC was basically like a lock powered by data. The AV software looks for signatures of known threats and doesn’t allow that content onto a computer. The quality of AV software depends heavily on constantly getting better data, specifically better collections of signatures.

The locks and alarm approach first developed when security was fundamentally about stopping ham-handed vandals from trashing your computing infrastructure. These attacks didn’t do much to conceal themselves. The were all about looking for someone who left their digital car unlocked with the keys inside. Those were simple days for security.

Nowadays, the attackers are not vandals but spies, thieves, extortionists, and other people with extremely sophisticated skills. They are looking to conceal themselves and to get into an environment and stay there so that they can take as much as possible. Their attacks are called Advanced Persistent Threats and they usually are designed to play out in stages. First the threat gets a foothold, then looks around to find more vulnerable systems (or a specific asset), takes control over one or more systems, perhaps installs additional software, and eventually ships out valuable information. The key is to attempt to remain inconspicuous so as to be able to evade detection.

To address these needs, a comprehensive cyber security system must have locks (perimeter defenses), waiting rooms (for behavioral analysis), ears (for listening for abnormalities in huge streams of data from many sources), eyes (for scanning for abnormalities), a brain to make sense of all of this information, and arms and hands to take action to remediate the threats. In essence, the cloud provides the legs to move security functionality to follow end users and systems wherever they travel. Zscaler, for example, has pioneered a cloud-based approach that protects mobile devices wherever they are used.

To catch APTs before they get in, and to improve the way that anti-virus software works, cyber-security companies like FireEye and others use a behavioral approach. Content and software is put in a petri dish environment inside a waiting room. If it then tries to do something that indicates an attack, it is not allowed in. While this approach works, it will never catch everything.

Remember, a huge percentage of the computing infrastructure we have was not built to be safe in networked environments that include bad actors and malware. Also, employees have bad habits and the makers of APTs are good at exploiting them. In addition, the most advanced APTs are created to get a specific individual to do something stupid by clicking on a link. Threats are sent in email you are likely to open; for example, think about a threat lurking in a message about your kid’s soccer team

So to really be secure you have to assume that threats are going to succeed. That’s right. If Google and the New York Times and the US Department of Defense can be hacked, so can you.

Understanding What’s Normal

Now we arrive at the importance of eyes and ears. If the first job of cyber security technology is to keep threats out, the second job is to find the threats once they have gotten in. The only way to do this is to look for them. Because attackers are attempting to conceal themselves this is tricky. There is one thing they cannot conceal, and that is accessing things that they shouldn’t access. When the threats do this, usually they are doing something out of the ordinary. Perhaps a laptop is trying to access a server that that user doesn’t use. Perhaps a server is trying to access another server it has no business connecting to.

To catch threats once they are in, you have to look for abnormal behavior and abnormal content. That’s what digital eyes and ears do. By looking at streams of network traffic or other behavior gathered from data flowing out of web servers, virtual machines, and so forth, you can start to create a sophisticated models of what is normal. Then when something happens outside of normal it may indicate a threat. At that point an alarm is raised and the security operations team is notified to start looking into the problem.

Understanding what’s normal is not easy. In most computing environments there is a lot going on. It would be a waste of time to send ten thousand incidents a day to the security operations team. For that reason, some of the eyes and ears have to have a brain that can help define normal and watch for aberrant behavior.

The traditional SIEM vendors – HP/Arcsight, RSA, IBM – have put great efforts in building the right big data environment for their cyber security customers – that includes the storage, retrieval platforms, and analytics. But all of the systems will become better with better data. That’s why getting the right eyes and ears in place is so important.

Eyes refers to the ability to look for something. Eyes are about scanning and finding something wrong. Ears are about collecting data that may be of use. Almost any device can become ears. including existing security appliance such as Firewalls and Intrusion Detection.

(See “Teaching Your CEO about Cyber Security: An Anatomical Analogy” for an expanded explanation of the anatomical analogy that may be helpful in explaining security technology to civilians.)

Here are some technologies that can become the eyes and ears of your cyber security capabilities in various ways.

Splunk: Defining Normal Using Real-time Searches and Alerts

Splunk, which is able to digest and monitor huge volumes of machine data and lets you apply statistical analysis to determine outliers and anomalous behaviors. This allows you to establish baselines for almost any risk scenario you can think of. Splunk also can perform look-ups and correlations with other sources of contextual data to eliminate false positives or embellish data received form sensors. Splunk can also sift through huge amounts of data to find specific events.

In this way, Splunk can help a security operations team manually implement hundreds of automated searches for looking for specific problems such as unusual attempts to access servers that have the crown jewels, or unusually high levels of traffic on servers that could be vulnerable to bot net attacks. Whenever a new type of worry arises, a new rule or alert can be implemented. While this approach requires care and feeding, it can provide valuable information.

FortScale: Machine-learning Powered Monitoring Toolkit for Security Operations Team

Fortscale, founded in 2012, is building an environment powered by machine learning to support monitoring and analysis for security operations. Security analytics is by definition a big data problem, which requires machine learning to yield its secrets. Fortscale monitors logs from networks and other security sensors or applications to allow security teams to establish normal behavior by automatic profiling of users’ behavior and their access to resources. Clustering and comparison of users to their peers assist in understating what is a normal configuration or activity of a user and what is not.

When abnormal events are discovered Fortscale provides an inbox for triage and management of events that allows the security analyst to quickly investigate the new lead with designated visualization tools, and to have deeper and comprehensive profile of the user – whether he was compromised or he tried to cunningly leak sensitive data. An automatic risk score can also assist in better prioritization of security events and in their verification and can enrich traditional SIEM systems. Fortscale includes a scripting environment so that responses to events can be automated.

“In the past 2-3 years. Big data technologies like Hadoop, got mature and extremely user-friendly but not necessary to the security world,” said Idan Tendler, CEO and co-founder of Fortscale. “We want to leverage these new capabilities – so all security teams, regardless their know-how in advanced cyber warfare techniques or in machine learning, can effectively produce intelligence about users using security analytics”.

Prelert Anomaly Detective: Automatically Defined Normal

Prelert, founded in 2010, provides a framework for understanding normal that is based on Bayesian statistics. By looking at what is happening in streams of data, Prelert’ s Anomaly Detective can determine the probability of the occurrence of various events. Low probability events are considered abnormal. The more data Prelert looks at, the more confident it becomes.

Prelert can apply this technique to IT operations, application performance management, business intelligence, and security analytics. Prelert could be used by a security operations team to examine a newly arrived stream of data and determine what sort of signals can be found.

Prelert ‘s population analytics spot APTs by automatically learning the normal behavior profiles of populations, systems and users. It then accurately identifies the anomalous behavior patterns of outliers that may be rogue users or the new security threat. Prelert’s unique approach puts data science in the form of advanced security analytics into the hands of IT security users.

Prelert users have demonstrated use cases such as unexpected external connections, meaningful ways to analyze IDS alerts within a single search, and APT detection via Netflow. Prelert’s biggest benefit to security operations teams is a shorter mean time to detection and greater visibility into complex and blended threats.
“Our vision is to put the power of data science, specifically big data machine learning analytics, into the hands of everyday IT and business professionals so they can make better business decisions,” said Mark Jaffe, CEO, Prelert.

CloudMeter: Deep Analysis of Network Traffic

Cloudmeter was born in 2007 out of CEO Mike Dickey’s long experience in building products to find value in network traffic. Cloudmeter, Dickey’s third company based on analysis of network data, recently introduced a new data capture technology that acts as “intelligent ears” for monitoring all your networks – whether they are physical or virtual, private clouds or public clouds. It captures traffic passively using physical devices, virtual appliances or ultra light agents that run in a background process on your servers.

Cloudmeter digs much deeper than traditional IDS tools by listening closely to what network traffic has to say. Rather than just capturing a fixed set of metrics, Cloudmeter’s technology enables you to dynamically change the logic and rules used to parse and extract valuable business information from the payload content. Customers can use this, for example, to monitor shopping cart checkouts and trigger alerts if their total value is 10 times higher than normal. Another example is watching for visitors that present dozens of invalid credit card numbers while trying to complete a purchase.

Cloudmeter Stream gives you complete control over your data by combining its capture technology with a stream computing engine. This enables you to easily configure and manage the in-memory business rules that filter, clean and aggregate your data in real-time. It also integrates with a variety of third-party products including Splunk. The end result gives these products far more detailed and valuable information to improve their accuracy in detecting APTs.

Cloudmeter Insight combines its capture technology with a cloud service you can use for analytics, alerting and session replay of web interactions. Session replay allows you to record all the content for unique visitor sessions and step through page-by-page what the visitor saw and did on your website.

ForeScout: Understanding Every Network Endpoint

As the world moves forward toward a zero-trust model for network security, it will become even more important to understand who and what is connecting to your network and information. ForeScout is designed to provide real-time visibility and enforce endpoint and access security policies on a complex network that contains many different types of devices, from servers, to laptops, to mobile devices and virtual machines.

ForeScout, founded in 2000, is able to identify and monitor anyone and anything connecting to or on a corporate network — be it wired, wireless or cloud — and to enforce policies based on the user, role, device type, configuration and security posture. If a device is rogue, in violation of a policy or acting strange, ForeScout can not only monitor and raise alerts, but also directly block or limit access and attempt to resolve the issue directly on the endpoint. For security operations teams this means being able to not only see from one console all users, devices and applications and identify problems but take action. In other words, ForeScout is also has arms and hands, not just eyes and ears.

Bring Your Own Device (BYOD) trend presents a significant security exposure. ForeScout can manage the risks of personal mobile devices (smartphones, tablets, personal WI-FI, etc.) on corporate networks by instantly identifying such devices and automatically applying policy to segregate or limit their access to resources or enroll them in a stronger endpoint security application. ForeScout will also help security operations teams gain greater insight and more rapid response to preempt and contain threats by extending interoperability between ForeScout and different network and security systems. For example, ForeScout can tell if required security software, such as encryption, a patch or anti-virus software, is not present or inactive and can install, update or reactive the software or inform management systems system as Microsoft SCCM to do so – essentially making continuous monitoring and compliance possible.

“Enterprises are challenged with supporting business agility while managing security risks due to greater network, device, access and threat complexity. Exacerbating this situation is the proliferation of BYOD device use as well as increased exposure to rogue devices, non-compliant systems and targeted attacks,” said Scott Gordon, CMO at ForeScout. “ForeScout helps organizations gain real-time operational insight, preempt threats and more rapidly respond to and contain security exposures.”

CloudPhysics: Comprehensive Vital Statistics for a Data Center

CloudPhysics provides an advanced modeling and automation environment for data centers based on VMware. By assembling all the data that is collected through the hypervisor and other virtual and physical components of the data center, CloudPhysics creates statistical models of components and systems that take the guesswork out of making decisions about provisioning. These models also hold the potential of being an excellent way of creating eyes and ears for security operations teams.

CloudPhysics offers the possibility of create a definition of the normal workload for an application or a server, router, or storage system. When an APT takes hold, it often starts increasing the work done by a server. This especially true for bot nets. Using statistical modeling, CloudPhysics makes it possible to create definitions of normal that have tremendous scope.

Follow Dan Woods on Twitter:
Follow @danwoodscito

Dan Woods is CTO and editor of CITO Research, a publication that seeks to advance the craft of technology leadership. For more stories like this one visit Dan has performed research for FireEye and Splunk, two companies mentioned in this story.

Great ! Thanks for your subscription !

You will soon receive the first Content Loop Newsletter