19 Jun This Independent Cybersecurity Product Review Doubles as an Outline for How to Start Threat Hunting with Existing Tools and Skills
Not long ago we had the opportunity to submit the Bricata product for a review that was published on CSO (Review: Bricata adds threat hunting to traditional IPS/IDS). The reviewer, John Breeden II, has a long list of reviews he’s completed for the publication.
But that’s not all.
For those that have been around the cybersecurity community in the greater Washington, DC area for a while, Mr. Breeden previously ran the lab at Government Computer News for the better part of 15 years. It’s pretty obvious he has looked under the hood, or so to speak, of a lot of technology tools and excels at distilling what these tools do in a simple and concise manner.
5 Takeaways from an Independent Product Review of Bricata
It’s because of his experience, we find this review doubles as a useful reference for security organizations seeking to improve processes and skills too. Indeed, this review serves as more than just a demonstration of product capabilities – it also serves as an outline for how a security operations center (SOC) can begin hunting threats with a familiar tool the staff already know and use.
Below are five points from the review that we believe merit highlighting, along with some additional commentary and links to additional resources.
1) Cybersecurity is an arms race that demands re-invention.
A classic intrusion prevention system (IPS) or intrusion detection system (IDS) solves somewhere around 80% of the problems. These are the known threats, that is the threats for which there are signatures. As the review notes:
“IPS/IDS system that is constantly monitored by security teams will catch most network problems and security breaches. However, the fact that many organizations stop there has led to an uptick in successful attacks designed specifically to operate in IDS blind spots.”
It’s those blind spots that cause the other 20% of the problems, which are more sophisticated in nature. This evolution is an arms-race that strains budgets, drives process re-engineering, the need for skill development, and yes, the demand for modern security tools. As the review points out:
“…most organizations struggle to add new programs and technologies such as endpoint protection platforms or deception networks. Better security also normally requires increasing IT staff and providing them with better tools and training.”
Staffing goes hand-in-hand with training because when an organization acquires major new tools to ward off emerging threats, this typically requires skill development as well. This is one of the problems Bricata is helping to solve because it has been engineered to be easy-to-use.
- The Risk of Overconfidence in the Cybersecurity Perimeter
- 3 Golden Opportunities to Mitigate Network Cyber Attacks
- 4 Considerations for Evaluating an Intrusion Detection System
2) Advancing process maturity across the security organization.
If you watch the same movie twice, chances are the second time around you’ll notice details you missed during your first viewing. This is because you had a new perspective. Bricata also looks at threats from a different perspective, but it does this simultaneously with three different detection engines. In his review, Mr. Breeden wrote:
“At its core, Bricata offers advanced IPS/IDS protection with multiple detection engines and threat feeds to defend network traffic and core assets. But it goes a step farther, adding the ability to launch threat hunts based on events or simply anomalies. This would enable an organization to begin network-level threat hunting using the same staff and tools they are already using for IPS monitoring.”
Those three engines include: a) signature analysis (Suricata); b) network behavioral anomalies (Bro); and c) a malware conviction engine (Cylance). The product comes with a threat intelligence subscription baked-in, so the core of detection (and prevention) provided is already powerful and valuable, even before we get into a threat hunting:
“…it does deliver coverage of core network traffic in a more comprehensive way than most other IPS/IDS devices. When combined with its threat hunting capabilities, it can help to ferret out unknown threats that have bypassed other protections – and it can be done with existing staff using tools they are already familiar with.”
This is an important point because it is very easy to launch into a network threat hunt from the IDS. It’s a tool the organization already needs and has, and since the staff already know how to use it, and they can begin network threat hunting right from the same console.
A lot of organizations think this is difficult, but Bricata endeavors to simplify the process. As Mr. Breeden noted in his review:
“Anyone familiar with how the IPS/IDS part of the console works will have little trouble becoming a competent threat hunter. Only minimal training would be required, if that.”
It’s possible to also use this as a training tool. One security leader we interviewed recently described how he used threat hunting as a professional development tool. Under the mentorship of a senior analyst, the team carves out a few hours to conduct one threat hunt each week. As a result, the organization is finding threats – and sharpening the team’s skill set.
- Snort, Suricata and Bro: 3 Open Source Technologies for Securing
- Layers of Cybersecurity: Signature Detection vs. Network Behavioral Analysis
- Threat Hunting is an Imperative Despite Challenges in Definitions, Data and Skills
3) Understanding how Bricata is deployed.
Bricata is a sensor that is deployed at a central point or points within a network. This is strategic placement from which the device can monitor traffic traversing the network.
“Looking first at Bricata as a pure IDS system, it is deployed as a physical or virtual appliance that serves as the main collator point and user interface. This, in turn, links to network sensors that are deployed at network choke points to capture traffic data.”
We’d point out that this strategic placement has become increasingly important as the capacity for threats to spread laterally – WannaCry and Petya – have emerged. We’ll have a bit more on that later, but the key is this:
“The entire installation is done on-premises, and no collected traffic data ever need to leave the network.”
This is important to some vertical markets, such as healthcare for example. With the advent of electronic health records (EHR), healthcare organizations are required to take steps to protect personal health information (PHI) among personally identifiable information (PII). If a security tool ships data elsewhere, then it may become an added step in the compliance process, which Bricata simplifies by performing the analysis on the device.
- 3 Emerging Healthcare Security Challenges
- Morphing Network Security: 5 Takeaways from an SC Media Webinar
- New Vulnerability? Begin Change Management to Patch and Start Monitoring…
4) How Bricata mitigates the threat of lateral spread.
As the review notes, many traditional IDS devices simply confirm the presence of malware and enable security to purge the system. However, the last few years have shown that once inside, threats don’t stop but seek to expand the footprint by spreading laterally.
What’s even more dangerous about this is that such a spread used to require a click or some action either by accident, ruse or intention, from the user. Modern malware can spread with little or no user interaction. Here’s how the review describes the Bricata capability to address lateral spread:
“Bricata was able to show that a few seconds after landing on the client, the malware began beaconing out to other systems in the network. The Bricata sensors detected lateral movement that would have been invisible to most IPS consoles. The malware had in fact replicated onto other systems, so chasing down and purging it from the initial system would not have done much good. Bricata was able to detect this because of the traffic generated by that lateral movement, recorded by the internal sensors – and it could do it without having an agent on the endpoint itself.”
- Write This Down. What Did We Learn From Petya And WannaCry?
- Maslow’s hierarchy of needs for incident response
- Threat Trends: Nation State Capabilities for the Casual Adversary
5) Deep packet inspection, data sharing and backtesting.
Naturally, Bricata provides deep packet inspection, but a key philosophy of the business is that the data collected is the intellectual property of the customer. Therefore, the product enables an organization to export data to other tools it may wish to use to analyze the data:
“Other Bricata hunting tools enable deep packet inspection and even the downloading of the actually suspected malware for additional testing with antivirus, sandboxing or other external tools.”
New threats emerge continuously and it’s not uncommon for an organization to learn of a threat, and a way to identify it after it already slipped through the defense. One way to hunt for such threats is to run new threat intelligence information against recorded data:
“A back-testing feature even enables discovered threats to be run against historical data to see if they would have been able to slip past previously unpatched defenses.”
In order to do this the device stores data – but not too much and not too little:
“Traffic data is stored in the appliance for 11 days by default, striking a balance between having look-back capabilities and eating up a lot of space. This also keeps the interface speedy by limiting the amount of data that can be searched when performing threat hunting. There is an option to export traffic data to external storage or the cloud, in case an organization wants to keep it longer than Bricata stores everything.”
- 3 Use Cases in Network Security for Threat Hunting
- Bricata Unveils New Network Security Dashboard for Alert Triage and Threat Hunting
- The value of 20/20 hindsight in cybersecurity
Improving Organizational Sophistication and Maturity
The idea behind simplifying network threat hunting is straightforward: a modern IDS that protects against threats known, unknown, and that also provides a way to hunt down those that are hiding:
“Organizations that want to improve their cybersecurity maturity, but don’t know how to grasp such a high bar as institutionalized threat hunting, could instead consider installing the Bricata IPS/IDS platform. Not only will that enable extremely robust intrusion protection, but can act as a gateway for threat hunting activities, allowing users to train themselves as they work at doing their everyday tasks, and protecting networks from both known and unknown threats.”
The full review is well worth a read and is available at the link at the beginning of this post. Should you be interested in reviewing the technology first hand, please click here to schedule a live demo.
If you enjoyed this post, you might also like:
6 Ways Modern Threat Detection Keeps the Enterprise Ahead of Cybersecurity Trends