The Need For Speed – The IT Top Gun

Being able to deliver a rapid response to problems is a core need for the modern enterprise. While many network “issues” can suffer a delay in response time, true problems like security breaches and network outages cannot. This where an “IT Top Gun” can really shine with fast response times to anomalies and problems that eliminate issues from the onset, or better yet, prevent them from happening.

For instance, in the case of a suspected security breach, you need know if you were actually breached or not, where the breach occurred, and what was compromised. According to the 2016 Verizon Data Breach Investigations Report (DBIR), almost 68% of breaches happen over the course of several days, so a rapid response to security threats can definitely help minimize the cost of a breach. The faster you isolate the attack vector, the faster you can limit the amount of damage to your business. However, according to the Ponemon Institute’s 2015 Cost of Cyber Crime Study, it is actually taking businesses longer to resolve cyber-attacks. It now takes an average of 46 days to resolve a cyber-attack, which is one day longer than it took last year. This also represents an increase of 30% over the last six year period and results in a corresponding increase in the cost for a cyber-attack.

The situation is also serious for network outages. According to the 2016 Cost of Data Center Outages study conducted by the Ponemon Institute, the average cost of a data center outage is $740,357 and lasts for about 95 minutes. This results in a cost of $7,793 per minute of downtime. A rapid response is needed in this situation as well to control costs and keep your mean time to repair as short as possible. 

So how does one become an IT/Network Top Gun?

What is Network Metadata?

The human view in Network Visualization!

Network Metadata is human readable data that describes your network traffic. It is generated and consumed by network traffic monitoring systems to analyse and report on network and user activity. This type of continuous monitoring is concerned with users, the apps they use and the data they access. It is generally not used for monitoring the health of the network fabric and attached devices.

The graphic below depicts some of the available technologies for continuous network traffic monitoring and how they relate to each other in terms of the information provided and the cost and complexity of implementation.

Network Metadata is used to fill the gap between the “not-enough-detail” SNMP switch port counters and “too-much-complexity, too expensive” full packet capture systems.

Optimizing Network Security with Packet Intelligence !

Enterprise security teams devote an incredible amount of resources to monitoring and defending their networks. Everyone knows there are professional grade tools that can monitor networks 24x7 providing detailed information about usage as well as enabling the in-depth examination of captured traffic once an Intrusion Detection System (IDS) has identified an activity that needs to be investigated.

Given the amount of success that attackers are having in penetrating network defenses and the deluge of alerts and alarms network teams deal with from IDS on a daily basis, enterprises are in need of better tools and training to go beyond the typical prevention, detection and response security protocols to effectively deal with incident response.

In today’s world, intelligent packet capture is the answer. Most modern forensic investigation solutions (FI) enable network security teams to capture and save a historical record of network activities that occur from the moment an attack is detected. But, one common weakness in existing forensic investigation solutions is that they don’t provide critical packet-level data from the period of time immediately BEFORE attacks are detected.

Consider this example:

How to Detect Worm with a Network Analyzer?

 The most potent threats to Network and Computer Security are worms as they have the unique ability to mimic biological like viruses. Worms can infect a host (biological or logical electronic systems like computers, phones, servers and network devices like routers, servers , controllers and switches). Once the worn has infected the device they then choose a medium to propagate to other neighboring hosts – digital devices. Most worms are malicious and generally, their intent is usually malicious, however some worms (not many) do not have malicious intent (anti-worms or helpful worms) as are designed to help find and destroy Bad or Malicious worms. An example of an Anti-worm is Welchia (Nachia worm, around 2003) which infected compromised computers and automatically began downloading the correct Microsoft security updates without the users consent. It automatically rebooted the computers, installing the security patches to fix the current exploit worm like Code Red, Blaster and Santy. Other examples of helpful anti-worms are Den_Zuko, Cheeze, CodeGreen and Mellenium and many others. However, the list of Malicious worms is very long - https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms and here is a list of malicious file extensions - http://www.file-extensions.org/filetype/extension/name/dangerous-malicious-files .

General procedures for the visualization of the propagation of a worm:

We can find many things for free in this world and a lot of them are good for what we need. We will never have an issue with free stuff. Have you ever went in to the grocery store and went to an area to find a person handing out free samples of food? Yeah, me too! Love the free food, but the goal was to tempt you to buy. The free food did not fill your fridge or cabinet's! It only did a small piece of what you needed. In most cases you get what you pay for!