"…accept that while there's little guarantee of total safety, there does exist the ability to proactively act to protect what you value." Verizon DBIR 2018.
Italian economist Vilfredo Pareto discovered the 80-20 rule that serves as a general rule for gaining efficiency in a system. Data analysis is no exception, where we can expect 20% of the data would generate 80% of the value for the thing being measured. In cybersecurity, this model provides a reasonable working hypothesis for alerts into the SOC. A 20% subset of the alerts generated might represent the vast majority of the harm and risk to the business.*
We as an industry already drive to distill each day's thousands of alerts into the critical few, primarily by assessing individual events against signatures and rules, or using a SIEM with analytics to identify relationships and patterns.
Unfortunately, current methods of prioritizing alerts are too slow, effectively guaranteeing that organizations operate in "response" mode, rather than in "intercept" mode.
Late-Stage Attack Blindness
The 2018 Verizon Data Breach Investigations Report (DBIR) tells us the typical compromise comes in minutes. And once an attacker has gained a foothold inside the environment, few enterprises can see what's happening. We call this East-West playing field the Darkspace. Attackers hide their post-compromise attack activities inside the Darkspace, including internal reconnaissance, privilege escalation, lateral movement, data exfiltration, and data and system tampering. The DBIR indicates that most exfiltrations happen within hours, but some attackers dwell longer (perhaps exporting data within normal egress traffic to avoid detection). Without the ability to detect malicious activity inside Darkspace, you are left with discovery, containment, disclosure, and mea culpas.
Critical Asset Behavioral Analysis
Is there a better way? Yes. Monitor everything inside your enterprise, but pay the most attention to activities affecting the stuff that matters most to your business and appeals most to attackers and insiders: critical assets. These are the 20% of assets that represent 80% of your risk. Continuously monitoring evolving risk to your key databases, devices, and services will help you identify and contain the most damaging attack activities. Done well (with high speed, integrated analysis, and full transaction visibility), you can act before dwell time has turned to data loss or destruction.
Summer 2018 Reveals Attackers' Secrets
While focusing on critical assets and risks isn't a new idea, making it easy is revolutionary. With the Summer 2018 release of Reveal(x), ExtraHop is proud to introduce a highly automated and integrated workflow for illuminating the Darkspace to getting your Pareto payoff. Reveal(x) works to continuously and automatically:
- Discover and classify active devices using your network (not relying on scheduled scans and CMDBs)
- Identify assets that are critical to your business based on their activities and attributes: applications used; role as web server, database, fileshare, etc.; and nature, frequency, and volume of interactions with other devices
- Baseline the behavior of these critical assets for "normal," detecting new behaviors of the asset itself and comparing to what is normal for its peers (minimizing noise and false positives)
- Correlate detections with your historical data, external threat intelligence, and a risk score to escalate key findings
- Highlight suspicious, malicious, and anomalous activities that affect these systems in an easy-to-understand lens
The above steps can all be automated easily, with low risk and high ROI in SOC efficiency. Next, humans can step in to:
- Navigate directly through the attack implications, records, relationships, and packets associated with the activity to reach root cause and identify response requirements
Finally, humans can approve an automated handoff of evidence:
- Initiate case management and response by operations/response teams leveraging existing tools and policies as possible, automation where appropriate
New capabilities available in the Summer 2018 release contribute to the above process from discovery to disposition.
- TLS 1.3 / PFS traffic: Industry-first decryption of TLS 1.3 and Perfect Forward Secrecy encrypted traffic at up to 100 Gbps enables real-time reassembly of transactions and device auto-discovery. Decryption of approved traffic will reveal unauthorized and malicious activity, especially the increasing proportion of encrypted attack traffic.
- Dynamic classification of critical assets: Critical assets are auto-identified and proposed for behavioral analysis. Human review can re-prioritize asset categories, and Reveal(x) will auto-discover, auto-classify, and auto-analyze any new categorized assets as they use the network.
- Expanded behavioral detections: New machine learning models detect more late-stage attack behaviors including escalation of privileges on a compromised host, insiders changing behavior to become threats, and polymorphic ransomware—all prioritized based on critical asset value.
- New "Headlines" jumpstart action: Analysts and managers can monitor a visual display of prioritized and contextual changes reflecting high-risk and emerging threats, clicking swivel-free to investigating and threat hunting and helping Tier 1 analysts perform like Tier 3 experts.
- Optional STIX support: Detections are enriched with third-party threat intelligence and prioritized in the investigation workspace for more attention.
- "Need to know" packet decryption for forensics: CISOs can maintain strong security while respecting privacy requirements by limiting packet access to specific roles.
The new release of Reveal(x) is optimized for enterprise Network Traffic Analytics (NTA), providing scale, speed, and integrated workflows devoted to creating a more efficient and effective SOC. Let us help your organization gain the Pareto Payoff: shift your focus from mostly wasted energy to detecting, containing and mitigating activities against the most-important and most at-risk assets. Get started with a deep dive into how Reveal(x) filters your critical assets and this introduction to the new features in Reveal(x) Summer 2018!
Caveat: Clearly, the quality of your countermeasures and the time you spend tuning will affect your outcomes. The less mature you are, the more your meaningful alerts are drowning in noise.