Improved Metadata and Intelligent Packet Capture Associated with Security Alerts Provides Better Means to Visualize Scope, Severity and Conduct Event Correlation
January 17, 2018 – Columbia, Md. – Bricata, Inc., a developer of next-generation network intrusion detection and prevention solutions (IDS/P), today announced a new dashboard capability that provides security operations centers (SOCs) with greater detail about network events and the ability correlate that information with security alerts.
The latest edition of Bricata keeps a record of network transactions and associates them with security alerts to better understand which devices are communicating via what protocols and what they were doing. What this means conceptually, is that if a user downloads malware, this data helps the SOC very quickly and neatly answer critical triage questions including:
- What behavior did the user exhibit prior to the infection?
- What other network devices did the infected machine call next?
- Is this threat spreading, and if so, how and where?
“Many of the cybersecurity tools implemented today seem to treat the alert as an end, but the reality is the alert is just the beginning. It can easily take hours, sometimes even days, to collect the information necessary to discern the difference between true and false positives,” said Bricata CEO John Trauth. “What Bricata is doing is intelligently collecting just the relevant information so the SOC can quickly determine the scope and severity of a security alert.”
Research shows large enterprises, like financial services institutions, can easily have 25 or more security tools issuing in excess of 100,000 security alerts every day. Despite the promise of security analytics, security information and event correlation have proven exceedingly challenging, in the absence of session and network metadata, of the type and quality Bricata provides. This results in a deluge of alerts that overwhelm the resources of even the most sophisticated business leaving it vulnerable.
The data Bricata is providing with this latest update supports both proactive and reactive strategies for cybersecurity assurance. The network monitoring solution examines traffic traversing a corporate network inside the firewall with three different detection engines as part of a layered security defense.
Notably, it also supports proactive threat hunting, for example when Bricata detects network behavioral anomalies – an accounting server suddenly calling up a larger number of network devices than usual – its captures session level data for security personnel to easily and immediately examine as part of a rapid investigation.
Among the new features and enhancements included in this software release are the following:
1) New network metadata dashboard for threat hunting.
The dashboard provides a visualization of the data associated with a network security alert. For example, if a user downloads a file convicted as malware, the dashboard helps the SOC understand what transactions led to that user being infected – and what machines were touched in the process.
This allows enterprise security to understand the extent of an incident very quickly. If unusual traffic patterns are identified, users can search for other devices exhibiting similar behavior that may have infections that have gone undetected.
“That is the essence of threat hunting – security has a hunch it wants to investigate – and Bricata is providing a faster and more thorough way to do it,” added Trauth. “Collecting too much data becomes unwieldy, but taking an intelligent approach to data collection, makes it more accessible and searchable in the moment security needs it the most.”
2) Passive DNS monitoring.
This provides security with the means to understand the DNS information around an alert without physical integration into other IT databases. This means Bricata can both detect malware and covertly trace its origin back to the host – even if it’s a temporary domain – without notifying the perpetrator.
Previously to capture this type information, security tools would need integration with other databases, such as Active Directory, for example. The Bricata solution does not and may help resolve some of the territorial conflicts that sometimes occur in larger enterprises between security and IT operations staff.
3) Smart packet capture and backtracing.
In addition to metadata, Bricata has developed a smart packet capture (PCAP) feature to capture relevant raw data about packet transfers associated with security alerts. For example, when the solution triggers an alert for unusual network activity such as a significant but unexpected software installation or disk erase operation, it will simultaneously begin smart PCAP targeting the packets in that stream of known interest. What this PCAP provides for security in this context, is the means and workflow to immediately search packet data after receiving an alert and hunt down threats.
Bricata has also introduced network backtracing into this release. Backtracing enables users to replay previous packet captures against the current set of threat intelligence to identify incidents that would only be visible to current threat intelligence. Now, the solution can answer “if I knew then what I know now”, what might I have discovered?
Bricata is a fast-growing network security provider breathing new innovation into the $1 billion intrusion detection and prevention market. The company raised an $8 million-dollar growth round of funding in July led by Edison Partners. This round also included a strategic investment and development agreement with In-Q-Tel, the strategic investor that accelerates the development and delivery of cutting-edge technologies to support the mission of the U.S. Intelligence Community.
Bricata has been named a “vendor to watch” by a reputable technology analyst firm in 2015 and 2016. In addition, the news organization SDxCentral recently described it as one of “10 Security Startups to Watch” in 2017.
Bricata network security solutions deliver innovative next-generation intrusion prevention, advanced threat detection and analysis, and threat hunting to enable large organizations to actively pursue and identify advanced, persistent, and coordinated attacks. A specialized component-based approach to today’s attacks has left organizations with a stack of tools to manage that provide a patchwork of uncorrelated data, leaving penetrable gaps and inconsistent security policies. The Bricata platform provides organizations with process automation, streamlining operations with the most effective, affordable solution for situational awareness and proactive threat defense, reducing complexity, dwell time and time to containment. For more information visit www.bricata.com.
media at bricata.com