23 May New Bricata Software Update Tackles Security Alert Deluge and Improves Network Threat Hunting Workflows with Focus on Anomalies
Latest Product Update Provides Flexibility and Customization to Nuanced Alert Thresholds, Improves Metadata Collection Speed, Enterprise Scalability and Supports Cloud Deployments
May 23, 2018 – Columbia, Md. – Bricata, Inc., a developer of modern intrusion detection and prevention solutions (IDPS) with network threat hunting capabilities, today announced a new way for security organizations to filter security alerts and identify anomalies in network metadata. The company introduced “tagging” in its most recent product update, which introduces automated filtering based on conditions unique to a threat or to an organization. This improves the ability to distinguish the more important alerts amid the high volume and provide direction as to where best to focus threat hunting efforts.
“The tagging capability we’ve added is like security Swiss Army knife for the enterprise because it brings a high-degree of flexibility for teams to focus on the nuances important to their organization,” said Bricata CEO John Trauth. “In turn, this allows security analysts to create custom views of their environment to focus on the known threats that are truly dangerous and refine threat hunting efforts on those evolving threats for which signatures do not yet exist.”
Tagging brings to bear automated management of alerts that can be customized for specific conditions in an enterprise environment and it also provides new collaborative capabilities. The automated tagging feature can be applied both to signature-based alerts and also to those stemming from network anomalies observed in the metadata, which in turn facilitates network threat hunting.
For example, what might be a medium level security alert for some organizations, may well be deemed a higher priority for a retail organization if it lands on a point-of-sale (POS) system. The security organization can use the tagging feature to automatically elevate the severity or otherwise filter and flag alerts that meet that condition. This can also be used to de-escalate or filter out alerts an organization deems less urgent.
With respect to metadata, there may not be an alert for a new or emerging exploit, however, threat intelligence often provides ways to identify it by behavior – using a specific protocol, port, or type of network call, for example. The tagging feature provides nearly unlimited flexibility for a security analyst, who is armed with intelligence and a hunch to select explicit parameters to elevate alerts when those conditions are met.
Since Bricata records network transaction data, automated tagging can be run against both real-time and historical data. In other words, security can check previous network communications against new threat intelligence to hunt for malicious code that previously slipped by undetected.
Tagging also provides collaborative capabilities for an analyst to create their own tags, customize them, by name or color, and then drag and drop these tags over alerts they are investigating to create a common operating picture or shared view. This provides a way for analysts to annotate alerts with information they believe is important to communicate to a wider team. Any security professional with access to the central management console (CMC) can easily sort and filter alert views by selecting and clicking the tags they wish to examine.
This particular feature is aimed at helping security operations centers (SOC) manage the deluge of information about alerts and threats they receive every day. Research shows that the sheer volume of security alerts in large enterprises can easily overwhelm finite resources. For example, one analyst study found that 60% of financial services companies experience 100,000 or more alerts per day. The problem is not unique to financial services as several high-profile breaches over the years in retail and media were a direct result of malicious activity slipping through defenses amid the deluge of alerts.
The tagging feature was part of an overall product update Bricata announced today. Other improvements include an acceleration of network metadata collection specifically to support the scalability large enterprises need for deployment. In addition, Bricata began rolling out support for cloud-based deployments in Amazon Web Services (AWS) through an arrangement with Gigamon and its GigaSECURE Cloud product. This latest release comes on the heels of a new dashboard, intelligent packet capture feature, and threat hunting capabilities announced earlier this year.
Bricata is a fast growing and venture-backed IDPS security solution provider that’s bringing new innovation to network security and providing enterprises a simple path to sophisticated threat hunting (see the review in CSO: Bricata adds threat hunting to traditional IPS/IDS). The last round of funding Bricata raised included a strategic investment and development agreement with In-Q-Tel, the strategic investor that accelerates the development and delivery of cutting-edge technologies to support the mission of the U.S. Intelligence Community.
Bricata develops modern network intrusion detection and prevention solutions (IDPS) with network threat hunting capabilities. The core platform examines threats with three different detection engines looking for malicious signatures, behavior anomalies and zero-day malware or polymorphism. Bricata also captures important metadata about network transactions which provides the security operations center with a simple way to begin hunting for threats while providing important context in the event of incident response. Bricata works well with existing security applications, scales for large organizations, and provides an affordable solution for situational awareness as part of a layered security posture that reduces complexity and the time it takes to detect and remediate threats. For more information visit bricata.com.
media at bricata-dot-com