Patrolling network traffic with SecBI

SecBI's new software aims to eliminate two of the problems with using traffic analysis in cybersecurity: volume processing of data for actionable threat intelligence and a reliance on network trapping hardware. Here's how it works.

Network Traffic Analysis tools have been used for a long time to help improve efficiencies in enterprise networks, locating unused capacity and bandwidth, and eliminating chokepoints. It has recently been employed as an arm of cybersecurity too. That makes sense given that, except for insider threats, attacks are going to be initiated and ultimately controlled by outside elements. The communications between the internal threat malware and its controllers on the outside are captured by traffic analysis tools.

The problem is that while the logic of using traffic analysis in cybersecurity is solid, the reality is a bit different. For one, even a small to medium-sized enterprise is going to generate three or four billion traffic logs per month. Without computerized assistance, no human is going to be able to wade through that and find anything meaningful. Second, capturing all that data traditionally requires the installation of network traps on gateways across the network. For an organization with branch offices or remote locations, the number of trap installations can climb pretty high. And even then, some traffic may escape around those gateways.

SecBI has fielded new software that aims to eliminate both of those problems, volume processing of data for actionable threat intelligence, and a reliance on network trapping hardware. They have done this by deploying their analyzer as a software module capable of running on-premises or in the cloud. It only looks at log files, so there is no need for any network traps, agents on the clients or anything beyond access to the constantly generated log files. It then crunches those billions of events in the log using finely tuned algorithms that look for patterns associated with an ongoing attack or an advanced persistent threat (APT). It can be deployed with a pay-as-you-go contract, where users only pay based on how many gigabytes of log file data they need to process per day.

To test SecBI, we began working with a version of the program that had been installed locally and was collecting data from the system log files of a test network for several months. Various malware and APTs had been seeded within the test network to give us something to examine.

To continue reading this article register now

Microsoft's very bad year for security: A timeline