How Bro IDS can Help Security Capture Institutional Knowledge for Cyber Alert Enrichment and Better Network Traffic Analysis [#BroCon Session]

by Bricata

The network security analyst has a vexing challenge: a prerequisite for identifying abnormal or suspicious behavior is an understanding of what normal looks like. This means identifying each device on sprawling networks – and knowing its purpose.

That knowledge provides analysts with a better sense for which machines should talk to each other, over what protocols, and what characteristics or attributes are typically associated with such connections. With that level of understanding the anomalies tend to stand out. As a result, the organization benefits from faster, and more accurate, triage of alerts.

While this sounds simple, the reality is much harder. In a mid-to-large market enterprise, the technology environment can easily consist of thousands of hosts, machines, routers and other parts that comprise the IT infrastructure.

A complicating factor is that most IT environments are dynamic. IT operations routinely adds, patches, updates, and decommission servers and other parts of the infrastructure.

Even more challenging is that more and more businesses are using a hybrid approach, where part of the infrastructure is on-premise, while the rest is cloud-based.

Retaining and Transferring Institutional Knowledge

Analysts often learn their environments as a byproduct of fulfilling their duties. Unfortunately, for many organizations, it’s also the sort of institutional knowledge that walks out the door when an analyst takes a different job. This gets expensive because research shows it costs businesses anywhere from 1.5x to 3x the salary to replace an employee.

Exactly how to retain and transfer that institutional knowledge from person-to-person, is a key challenge for security leaders too. It’s especially important today because there is a cybersecurity talent shortage. Bricata has developed a technical solution – a module in its threat detection solution– to address this problem.

The module was built using Bro IDS, which is an open source software framework for analyzing network traffic, and one of three key detection technologies embedded in the Bricata appliance. Since the module is open source, it will be presented and made available at BroCon 2018 – an annual gathering of the Bro IDS community.

The idea is to put a labeling capability at the fingertips of an analyst and within the network analysis tool, they are already using. This provides a concise way for analysts to share their knowledge about an environment. In other words, it’s using asset inventory as a means to capture knowledge about that IT environment and more importantly, the purpose of each device, box or host.

To read the entire post, please click here.