06 Make it all work together
You've implemented a solution like that outlined in the first metadata blog, and you are able to derive some pretty interesting results using it in a silo. While collecting network packet data, processing it by breaking it into metadata, and even applying deep packet inspection (DPI) to truly understand why that DNS-looking packet coming over port 53 was in fact botnet beaconing and not a name server lookup for example, is extremely valuable, these types of solutions can be equally relevant at making other security solutions more extensible. Becoming more extensible from a technical perspective can mean improved ROI from a business perspective.
Consider IPS. These tools are great at generating an alert based on the detection of something malicious. This is a bit like a photograph. Within the IPS interface, by pivoting from the alert to a Security Intelligence and Analytics (SIA) solution that contains all of the raw packet and metadata, it is like going from a still frame to the entire movie since it contains all information before, during and after the alert. This type of integration is a must-have for the robust and cost-effective use of metadata. Time and money can be saved because the integration between disparate security solutions allows for a great reduction in the amount of time it takes to discover and remediate an incident and preform root cause analysis. Your solution should do this by keying off of metadata attributes such as source and destination IPs, ports, time stamps and hundreds of other variables. Besides IPS, solutions such as SIEM, log management, firewalls and anti-malware can all benefit from integration with solutions that are focused on raw packet collection and metadata.
07 Make what I've got better
We have covered collecting data, applying DPI, and deriving value through integration across our security ecosystem. But we can still make it better through enrichment.
The data can become even more valuable by taking advantage of reputation information associated with IPs, URLs, domains and the like, file blacklisting and whitelisting and even anti-malware capabilities. Regardless of the metadata solution, enriching metadata with cloud-based threat intelligence is an imperative to getting the most out of your solution else you will only be as good as what you see on the wire instead of getting the network effect of what potentially millions of users are seeing around the globe.
08 Use machines to make my humans better
The solution providing the metadata should do much of the heavy lifting as it relates to firing alerts on suspicious discoverers. This is usually done through a combination of correlation, anomaly detection and pattern discovery.
It should also be designed to support detailed and easy-to-follow visualization of the data that draws an analyst's eyes to potential areas of interest. Workflow is another factor as analyzing data that should be highly tuned to support the natural process that an investigator might follow and more generally speaking – allow things to happen in a single click instead of four. The combination of robust machine-based analytics complemented by a streamlined human interface ensures that big data doesn't get the best of your solution and that the metadata is actually usable.
09 Explain to my boss what I've found
Security analysts like reports – management loves them. Even the best solution within your metadata arsenal won't be as valuable if it isn't able to generate both technical and summarized reports of discoveries. Both business leaders and technical leaders alike can benefit from reporting.
Regardless of the metadata solution being leveraged, ensure that reporting can be general and specific even to the point on generating metadata about a specific file, file type, IP address, URL, user, etc.
You have controls for prevention, while 100 percent necessary they don't scale and must be augmented by incident detection and response. Metadata provides an analytical platform for detection that in turn can be leveraged to quickly mount a targeted response through automatic or human-assisted processes.
Once a preventative control like a proxy, firewall or IPS has been updated with a new rule, policy, signature, etc., many solutions, such as those used for big data analytics, can take the stored raw packet data can replay that data back through the preventative security controls for assurance testing. When considering metadata solutions ensure that you are considering use cases beyond monitoring and analysis; they can be extremely useful for incident response.
I was meeting with a government agency that stated that by leveraging these types of capabilities to enhance their network security posture, they were able to reduce the time to discover an incident and the time to remediate an incident from weeks to hours. Are any of our readers using these types of tools to improve their incident response program?
Image credit: Flickr/annarbor (CC BY 2.0)
This article is published as part of the IDG Contributor Network. Want to Join?