Review: Bricata adds threat hunting to traditional IPS/IDS

Bricata offers advanced IPS/IDS protection, but also goes a step farther, adding the ability to launch threat hunts based on events, or simply anomalies.

binary code, magnifying lens, skull and crossbones

These days, even the most basic cybersecurity defenses for any medium to large enterprise will include an intrusion prevention system (IPS) or an intrusion detection system (IDS). Even by itself, a well-tuned IPS/IDS system that is constantly monitored by security teams will catch most network problems and security breaches. However, the fact that many organizations stop there has led to an uptick in successful attacks designed specifically to operate in IDS blind spots.

Making the next step along the cybersecurity maturity ladder is no small feat. To increase protection, most organizations struggle to add new programs and technologies such as endpoint protection platforms or deception networks. Better security also normally requires increasing IT staff, and providing them with better tools and training. Even then, new staffers and programs must be integrated into something like a security information and event management (SIEM) console, or even a full-scale network operations center to be completely effective. It’s more like running a marathon than taking the next step towards increased protection and cyber maturity.

And that is where the Bricata platform can come into play. At it’s core, Bricata offers advanced IPS/IDS protection with multiple detection engines and threat feeds to defend network traffic and core assets. But it goes a step farther, adding the ability to launch threat hunts based on events, or simply anomalies. This would enable an organization to begin network-level threat hunting using the same staff and tools they are already using for IPS monitoring. It would be a good step in the right direction towards better protection without the pain of installing additional programs or re-training staff.

Bricata won’t provide complete visibility into everything happening at the far corners of the network, such as active processes running on endpoints, but it does deliver coverage of core network traffic in a more comprehensive way than most other IPS/IDS devices. When combined with its threat hunting capabilities, it can help to ferret out unknown threats that have bypassed other protections – and it can be done with existing staff using tools they are already familiar with.

Looking first at Bricata as a pure IDS system, it is deployed as a physical or virtual appliance that serves as the main collator point and user interface. This in turn links to network sensors that are deployed at network choke points to capture traffic data. While the Bricata sensors will almost always be deployed at network gateways, they can additionally be placed around core assets or internal points where network traffic flows to give the platform visibility into horizontal movement of potential threats.

The entire installation is done on-premises, and no collected traffic data ever needs to leave the network. It’s also not dependent on having an always-on connection to cloud services or external hosts, though it does regularly receive updates for its threat intelligence engine. Traffic data is stored in the appliance for 11 days by default, striking a balance between having look-back capabilities and eating up a lot of space. This also keeps the interface speedy by limiting the amount of data that can be searched when performing threat hunting. There is an option to export traffic data to external storage or the cloud, in case an organization wants to keep it longer than Bricata stores everything.

Bricata Main Dash John Breeden II/IDG

The main dashboard for the Bricata platform looks like a traditional IPS/IDS system, with various alerts and warnings about events or programs that have been caught or flagged by protection engines.

In my testing, the efficiency of Bricata as an IPS/IDS with advanced capabilities was obvious. Looking at the main IPS interface, a potential threat was located in the form of a piece of suspected malware that came into the network and was downloaded onto a client. Confirming that the program was likely malicious was fairly easy. And that is where most IDS systems would stop. Administrators could purge the infected machine and move on to the next alert. However, in this case, that would not have stopped the problem.

To continue reading this article register now

Make your voice heard. Share your experience in CSO's Security Priorities Study.