Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Hello? Is It Metadata You’re Looking For?

When all is too much

When all is too much

It is all about about—

For about tells all

. . . you really need to know.

Huh? 

Okay, let me explain. When I decided to write a piece on metadata, my first thought was: How can I make this short and sweet, like metadata? My next thought: A haiku! The only problem (okay, maybe not only) was that everyone I read it aloud to had the same reaction: Huh?

An Analogy Is Worth a Thousand Haikus

So, it’s analogy time instead. And I’ll give props to Lancope for comparing metadata to a phone bill versus a phone call. It’s a good one, and I hope they don’t mind my borrowing it.

Advertisement. Scroll to continue reading.

Access to a phone call provides access to a conversation. And while the content of a conversation might be very illuminating, finding the revelatory data is quite difficult and time consuming. Getting to hear a conversation requires legal right to access it, which may or may not be available. Perhaps even more important is to consider how many hours of conversation you might have to listen to before you get to the tidbits that matter—especially if you don’t know which people and, therefore, which conversations to focus on.

Now, consider the phone bill and its rich summary-level detail. You can see who’s been talking to whom, at what time, for how long, from where, to where. Everything but the content of the phone call itself. Looking at a phone bill, you can check for interesting patterns. For instance, frequent calls to the same number, calls at really odd hours or to and from unusual locations, calls that are very long . . . each of these can serve as clues that help to narrow your investigation to only those conversations that are relevant.

When you are doing security analysis, the question is, do you have the time and resources to listen to every conversation or, in the case of networks, look at all traffic continuously?

With network speeds scaling up from 10Gbps to 40Gbps and even 100Gbps—and hackers needing minutes to days to breach your network (more on this shortly)—the answer is an unequivocal NO.

Divine Approximation

In a way, metadata is also a bit like a divining rod. It helps organizations approximate where a problem exists, and is enough to tell you that a behavior is suspicious and warrants further investigation and analysis. When it points to an anomaly, sure, you still have to dig to uncover a compromise, but odds are in your favor that you’re in the right vicinity.

Using metadata to divine where you may have a problem and then, if you want at that point, you can, to go back to Lancope’s analogy, subpoena the phone call and get the details for more information. But do you have to or should you start with a time- and resource-consuming subpoena process? No, because if you’re wrong, you’re straight back to the drawing board anyway. Whereas if you start with the phone bill, you can focus your efforts and decide, as appropriate, when you want to go deeper.

No Time to Lose

Per the Verizon’s 2016 Data Breach Investigations Report (DBIR), “The time to compromise is almost always days or less, if not minutes or less.” Minutes, folks, minutes. That’s all you’ve got.

While a breach doesn’t necessarily and automatically equate to data loss, it does mean your network has been infiltrated and someone is working their way toward absconding with your goods. The clock is ticking. And if your window to discover a breach and catch a crook in the act has gotten shorter, do you really want to be churning away doing analysis on gigabytes and gigabytes of information? Or do you want to be using something that helps you approximate where you have a problem faster?

If you answered yes to that last question, you might want to look at your network with new eyes because it is full of anomaly-approximating metadata. The small but mighty new security super power helps accelerate time to detection and expedite response to breaches by feeding SIEMs, forensic solutions, and other big data security analytics solutions with NetFlow/IPFIX records, URL/URI information, SIP request information, HTTP response codes, and DNS queries—all context-rich data that doesn’t take nearly as long to churn through in identifying anomalous patterns. 

Examples of what you might uncover using metadata are too many to list in full, but consider that your SIEMs can use DNS query information to find infected laptops looking for command and control servers, or infected web servers doing strange redirects. All you need is a way to harvest the metadata from your network; a good analytics tool or two to crunch through; and you’re on your way to shortening incident response time.

In a world of big data and big compromise, sometimes it’s the little things that can mean the most. When there’s no time to lose, why not turn to the power of metadata to lessen the burden on security tools and uncover threats faster?

Remember . . .

When all is too much

It is all about about—

For about tells all

. . . you really need . . . to know more about how to better secure your business.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.