How Bro IDS can Help Security Capture Institutional Knowledge for Cyber Alert Enrichment and Better Network Traffic Analysis [#BroCon Session]

Share and earn Cybytes
Facebook Twitter LinkedIn Email

by Bricata

The network security analyst has a vexing challenge: a prerequisite for identifying abnormal or suspicious behavior is an understanding of what normal looks like. This means identifying each device on sprawling networks – and knowing its purpose.

That knowledge provides analysts with a better sense for which machines should talk to each other, over what protocols, and what characteristics or attributes are typically associated with such connections. With that level of understanding the anomalies tend to stand out. As a result, the organization benefits from faster, and more accurate, triage of alerts.

While this sounds simple, the reality is much harder. In a mid-to-large market enterprise, the technology environment can easily consist of thousands of hosts, machines, routers and other parts that comprise the IT infrastructure.

A complicating factor is that most IT environments are dynamic. IT operations routinely adds, patches, updates, and decommission servers and other parts of the infrastructure.

Even more challenging is that more and more businesses are using a hybrid approach, where part of the infrastructure is on-premise, while the rest is cloud-based.

Retaining and Transferring Institutional Knowledge

Analysts often learn their environments as a byproduct of fulfilling their duties. Unfortunately, for many organizations, it’s also the sort of institutional knowledge that walks out the door when an analyst takes a different job. This gets expensive because research shows it costs businesses anywhere from 1.5x to 3x the salary to replace an employee.

Exactly how to retain and transfer that institutional knowledge from person-to-person, is a key challenge for security leaders too. It’s especially important today because there is a cybersecurity talent shortage. Bricata has developed a technical solution – a module in its threat detection solution– to address this problem.

The module was built using Bro IDS, which is an open source software framework for analyzing network traffic, and one of three key detection technologies embedded in the Bricata appliance. Since the module is open source, it will be presented and made available at BroCon 2018 – an annual gathering of the Bro IDS community.

The idea is to put a labeling capability at the fingertips of an analyst and within the network analysis tool, they are already using. This provides a concise way for analysts to share their knowledge about an environment. In other words, it’s using asset inventory as a means to capture knowledge about that IT environment and more importantly, the purpose of each device, box or host.

To read the entire post, please click here.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Bricata
Bricata is a cybersecurity solutions provider that combines a powerful network threat hunting platform into a comprehensive threat detection and prevention solution to help determine the true scope and severity threats. Bricata simplifies network threat hunting by identifying hidden threats using specifically designed hunting workflows that use detailed metadata provided clearly and eases your transition from the known to unknown malicious activities in conjunction with an advanced threat detection and prevention platform which detects zero-day malware conviction.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?