Security Experts:

Hello? Is It Metadata You're Looking For?

When all is too much

It is all about about—

For about tells all

. . . you really need to know.

Huh? 

Okay, let me explain. When I decided to write a piece on metadata, my first thought was: How can I make this short and sweet, like metadata? My next thought: A haiku! The only problem (okay, maybe not only) was that everyone I read it aloud to had the same reaction: Huh?

An Analogy Is Worth a Thousand Haikus

So, it’s analogy time instead. And I’ll give props to Lancope for comparing metadata to a phone bill versus a phone call. It’s a good one, and I hope they don’t mind my borrowing it.

Access to a phone call provides access to a conversation. And while the content of a conversation might be very illuminating, finding the revelatory data is quite difficult and time consuming. Getting to hear a conversation requires legal right to access it, which may or may not be available. Perhaps even more important is to consider how many hours of conversation you might have to listen to before you get to the tidbits that matter—especially if you don’t know which people and, therefore, which conversations to focus on.

Now, consider the phone bill and its rich summary-level detail. You can see who’s been talking to whom, at what time, for how long, from where, to where. Everything but the content of the phone call itself. Looking at a phone bill, you can check for interesting patterns. For instance, frequent calls to the same number, calls at really odd hours or to and from unusual locations, calls that are very long . . . each of these can serve as clues that help to narrow your investigation to only those conversations that are relevant.

When you are doing security analysis, the question is, do you have the time and resources to listen to every conversation or, in the case of networks, look at all traffic continuously?

With network speeds scaling up from 10Gbps to 40Gbps and even 100Gbps—and hackers needing minutes to days to breach your network (more on this shortly)—the answer is an unequivocal NO.

Divine Approximation

In a way, metadata is also a bit like a divining rod. It helps organizations approximate where a problem exists, and is enough to tell you that a behavior is suspicious and warrants further investigation and analysis. When it points to an anomaly, sure, you still have to dig to uncover a compromise, but odds are in your favor that you’re in the right vicinity.

Using metadata to divine where you may have a problem and then, if you want at that point, you can, to go back to Lancope’s analogy, subpoena the phone call and get the details for more information. But do you have to or should you start with a time- and resource-consuming subpoena process? No, because if you’re wrong, you’re straight back to the drawing board anyway. Whereas if you start with the phone bill, you can focus your efforts and decide, as appropriate, when you want to go deeper.

No Time to Lose

Per the Verizon’s 2016 Data Breach Investigations Report (DBIR), “The time to compromise is almost always days or less, if not minutes or less.” Minutes, folks, minutes. That’s all you’ve got.

While a breach doesn’t necessarily and automatically equate to data loss, it does mean your network has been infiltrated and someone is working their way toward absconding with your goods. The clock is ticking. And if your window to discover a breach and catch a crook in the act has gotten shorter, do you really want to be churning away doing analysis on gigabytes and gigabytes of information? Or do you want to be using something that helps you approximate where you have a problem faster?

If you answered yes to that last question, you might want to look at your network with new eyes because it is full of anomaly-approximating metadata. The small but mighty new security super power helps accelerate time to detection and expedite response to breaches by feeding SIEMs, forensic solutions, and other big data security analytics solutions with NetFlow/IPFIX records, URL/URI information, SIP request information, HTTP response codes, and DNS queries—all context-rich data that doesn’t take nearly as long to churn through in identifying anomalous patterns. 

Examples of what you might uncover using metadata are too many to list in full, but consider that your SIEMs can use DNS query information to find infected laptops looking for command and control servers, or infected web servers doing strange redirects. All you need is a way to harvest the metadata from your network; a good analytics tool or two to crunch through; and you’re on your way to shortening incident response time.

In a world of big data and big compromise, sometimes it’s the little things that can mean the most. When there’s no time to lose, why not turn to the power of metadata to lessen the burden on security tools and uncover threats faster?

Remember . . .

When all is too much

It is all about about—

For about tells all

. . . you really need . . . to know more about how to better secure your business.

view counter
Johnnie Konstantas heads Gigamon’s security solutions marketing and business development. With 20+ years in telecommunications, as well as data and cybersecurity, she has done a little bit of everything spanning engineering, product management and marketing for large firms and fledglings. Most recently, she was the VP of Marketing at Dato, a company pioneering large-scale machine learning. She was also VP Marketing at Altor Networks (acquired by Juniper), an early leader in virtualization security and at Varonis Systems. Past roles have included product management and marketing for Check Point, Neoteris, NetScreen and RedSeal Systems. Johnnie started her career at Motorola, designing and implementing large-scale cellular infrastructure. She holds a B.S. in Electrical Engineering from the University of Maryland.