Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Hello? Is It Metadata You’re Looking For?

When all is too much

When all is too much

It is all about about—

For about tells all

. . . you really need to know.


Okay, let me explain. When I decided to write a piece on metadata, my first thought was: How can I make this short and sweet, like metadata? My next thought: A haiku! The only problem (okay, maybe not only) was that everyone I read it aloud to had the same reaction: Huh?

An Analogy Is Worth a Thousand Haikus

So, it’s analogy time instead. And I’ll give props to Lancope for comparing metadata to a phone bill versus a phone call. It’s a good one, and I hope they don’t mind my borrowing it.

Access to a phone call provides access to a conversation. And while the content of a conversation might be very illuminating, finding the revelatory data is quite difficult and time consuming. Getting to hear a conversation requires legal right to access it, which may or may not be available. Perhaps even more important is to consider how many hours of conversation you might have to listen to before you get to the tidbits that matter—especially if you don’t know which people and, therefore, which conversations to focus on.

Now, consider the phone bill and its rich summary-level detail. You can see who’s been talking to whom, at what time, for how long, from where, to where. Everything but the content of the phone call itself. Looking at a phone bill, you can check for interesting patterns. For instance, frequent calls to the same number, calls at really odd hours or to and from unusual locations, calls that are very long . . . each of these can serve as clues that help to narrow your investigation to only those conversations that are relevant.

When you are doing security analysis, the question is, do you have the time and resources to listen to every conversation or, in the case of networks, look at all traffic continuously?

With network speeds scaling up from 10Gbps to 40Gbps and even 100Gbps—and hackers needing minutes to days to breach your network (more on this shortly)—the answer is an unequivocal NO.

Divine Approximation

In a way, metadata is also a bit like a divining rod. It helps organizations approximate where a problem exists, and is enough to tell you that a behavior is suspicious and warrants further investigation and analysis. When it points to an anomaly, sure, you still have to dig to uncover a compromise, but odds are in your favor that you’re in the right vicinity.

Using metadata to divine where you may have a problem and then, if you want at that point, you can, to go back to Lancope’s analogy, subpoena the phone call and get the details for more information. But do you have to or should you start with a time- and resource-consuming subpoena process? No, because if you’re wrong, you’re straight back to the drawing board anyway. Whereas if you start with the phone bill, you can focus your efforts and decide, as appropriate, when you want to go deeper.

No Time to Lose

Per the Verizon’s 2016 Data Breach Investigations Report (DBIR), “The time to compromise is almost always days or less, if not minutes or less.” Minutes, folks, minutes. That’s all you’ve got.

While a breach doesn’t necessarily and automatically equate to data loss, it does mean your network has been infiltrated and someone is working their way toward absconding with your goods. The clock is ticking. And if your window to discover a breach and catch a crook in the act has gotten shorter, do you really want to be churning away doing analysis on gigabytes and gigabytes of information? Or do you want to be using something that helps you approximate where you have a problem faster?

If you answered yes to that last question, you might want to look at your network with new eyes because it is full of anomaly-approximating metadata. The small but mighty new security super power helps accelerate time to detection and expedite response to breaches by feeding SIEMs, forensic solutions, and other big data security analytics solutions with NetFlow/IPFIX records, URL/URI information, SIP request information, HTTP response codes, and DNS queries—all context-rich data that doesn’t take nearly as long to churn through in identifying anomalous patterns. 

Examples of what you might uncover using metadata are too many to list in full, but consider that your SIEMs can use DNS query information to find infected laptops looking for command and control servers, or infected web servers doing strange redirects. All you need is a way to harvest the metadata from your network; a good analytics tool or two to crunch through; and you’re on your way to shortening incident response time.

In a world of big data and big compromise, sometimes it’s the little things that can mean the most. When there’s no time to lose, why not turn to the power of metadata to lessen the burden on security tools and uncover threats faster?

Remember . . .

When all is too much

It is all about about—

For about tells all

. . . you really need . . . to know more about how to better secure your business.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...