How Bro IDS can Help Security Capture Institutional Knowledge for Cyber Alert Enrichment and Better Network Traffic Analysis [#BroCon Session]

By: Bricata
save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

by Bricata

The network security analyst has a vexing challenge: a prerequisite for identifying abnormal or suspicious behavior is an understanding of what normal looks like. This means identifying each device on sprawling networks – and knowing its purpose.

That knowledge provides analysts with a better sense for which machines should talk to each other, over what protocols, and what characteristics or attributes are typically associated with such connections. With that level of understanding the anomalies tend to stand out. As a result, the organization benefits from faster, and more accurate, triage of alerts.

While this sounds simple, the reality is much harder. In a mid-to-large market enterprise, the technology environment can easily consist of thousands of hosts, machines, routers and other parts that comprise the IT infrastructure.

A complicating factor is that most IT environments are dynamic. IT operations routinely adds, patches, updates, and decommission servers and other parts of the infrastructure.

Even more challenging is that more and more businesses are using a hybrid approach, where part of the infrastructure is on-premise, while the rest is cloud-based.

Retaining and Transferring Institutional Knowledge

Analysts often learn their environments as a byproduct of fulfilling their duties. Unfortunately, for many organizations, it’s also the sort of institutional knowledge that walks out the door when an analyst takes a different job. This gets expensive because research shows it costs businesses anywhere from 1.5x to 3x the salary to replace an employee.

Exactly how to retain and transfer that institutional knowledge from person-to-person, is a key challenge for security leaders too. It’s especially important today because there is a cybersecurity talent shortage. Bricata has developed a technical solution – a module in its threat detection solution– to address this problem.

The module was built using Bro IDS, which is an open source software framework for analyzing network traffic, and one of three key detection technologies embedded in the Bricata appliance. Since the module is open source, it will be presented and made available at BroCon 2018 – an annual gathering of the Bro IDS community.

The idea is to put a labeling capability at the fingertips of an analyst and within the network analysis tool, they are already using. This provides a concise way for analysts to share their knowledge about an environment. In other words, it’s using asset inventory as a means to capture knowledge about that IT environment and more importantly, the purpose of each device, box or host.

To read the entire post, please click here.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
32 Followers
About Bricata
Bricata is a cybersecurity solutions provider that combines a powerful network threat hunting platform into a comprehensive threat detection and prevention solution to help determine the true scope and severity threats. Bricata simplifies network threat hunting by identifying hidden threats using specifically designed hunting workflows that use detailed metadata provided clearly and eases your transition from the known to unknown malicious activities in conjunction with an advanced threat detection and prevention platform which detects zero-day malware conviction.
Promoted Content
Whitepaper: Natural Network Threat Hunting Emerging as One Key to Modern Cybersecurity
Discover how a powerful network threat hunting platform built into a comprehensive IDPS solution can deliver improved protection by identifying the true scope & severity of threats in your environment.
View
181
LAYERS OF CYBERSECURITY: SIGNATURE DETECTION VS. NETWORK BEHAVIORAL ANALYSIS
Signature-based detection techniques have been used since the earliest days of security monitoring. Virus scanners used signatures to identify infected files, and the earliest intrusion detection systems(IDS) relied heavily upon signatures definitions.In previous years, these provide adequate protection until adversaries became more advanced. Bad actors
Save
Share
Facebook
Twitter
LinkedIn
Email
Like
3/21/2018
213
WHAT IS BRO? AND WHY IDS DOESN’T EFFECTIVELY DESCRIBE IT [OVERVIEW AND RESOURCES]
by BricataWhat is Bro? Bro is an open source software framework for analyzing network traffic that is most commonly used to detect behavioral anomalies on a network for cybersecurity purposes.Bro provides capabilities that are similar to network intrusion detection systems (IDS), however, thinking about Bro exclusively as an IDS doesn’t effectively describe the breadth of its capabilities. This is because Bro enables security operations ce
Save
Share
Facebook
Twitter
LinkedIn
Email
Like
5/29/2018

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel