Published on May 17th, 2017 | by Edward Amoroso
Advanced Analytics for Investigations and Enterprise Security
Today’s post was written by Dr. Edward G. Amoroso, Former SVP and CSO of AT&T, Present CEO, TAG Cyber
Collecting telemetry at line speed for analysis, management, and intelligence has always been a basic tenet of telecommunications security. Law enforcement also relies on these techniques to make our society safer and to create strong disincentives for anyone considering breaking the law using communications networks. As cyber security incidents continue to occur despite increased protection, these traditional practices are being applied to the enterprise for more proactive data breach detection and response. I recently spent time with one of the world’s experts in this field, my good friend and colleague, Faizel Lahkani, CEO of SS8. I asked Faizel to share his insights in this area, and below is a summary of our conversation:
EA: Faizel, is it getting harder to extract the right data from a network to derive useful intelligence?
FL: It certainly is harder. In the early days, networks were more predictable with point-to-point connections and hub-and-spoke architectures. It was easier to understand where traffic was going and which applications were being used, because apps were centrally hosted in the data center. Fast-forward to now, and everything has shifted to the cloud. There are now countless ways to share information, and this is giving nefarious people countless ways to exfiltrate proprietary information. The use of encryption has also confounded much of the analysis of communications resulting in opaque and hard to understand flows over a network. While these combined factors have made the challenge of connecting the dots for a cyber investigation or for breach detection exponentially more difficult, we believe this is an area where we’ve really cracked the nut at SS8 with our Protocol Extraction Engine, or what we call PXE (pronounced “pixie”). PXE is a powerful, highly optimized deep packet inspection (DPI) engine that can classify more than 1,000 protocols and perform metadata extraction for several hundred. The High-Definition Records (HDRs) we generate from the network go beyond weak indicators like port numbers to classify protocols. Instead, we use behavioral DPI including packet flow analytics to classify traffic by inspecting flows, which succeeds even if tunneling or obfuscation techniques are used.
EA: Do you think there are privacy-related showstoppers that will make it impossible for law enforcement or to gain the information it needs to catch bad guys on the Internet?
FL: It’s not impossible, but it’s certainly more difficult due to encryption. There is a fine line between detecting and observing. In the construct of enterprise, the use of encryption makes it hard to use traditional methods of detection to find and remediate breaches. This is where our years of history helping law enforcement and intelligence agencies has enabled us to build competency in understanding and mining communications to extract information that can guide on the intent of the communications. The struggle for law enforcement and intelligence is that any events of criminal activity or terrorism are based on coordination, and this coordination is over communications. Hence, when this communication goes increasingly dark, the challenges for technology become much higher. This is where we built our competency.
EA: Virtualized, software-defined networks seem to be on the rise. Are these networks making it more difficult to detect malicious activity?
FL: Virtualization has changed the game a bit, and today, is a bit of a blind spot for the enterprise. You can no longer rely on layer 3 and 4 network analysis tools such as Net Flow to understand a full picture of what’s happening. Advanced threats will jump between workloads to hide in the normal flow of communications, providing a great risk for data exfiltration. Organizations need to be inspecting traffic at the application layer and all the way up the stack. This requires running the communications analytics sensors as virtual instances. Rather than having to find the natural egress points across the network, SDN affords the opportunity to perform data collection in one place.
EA: As just about everyone shifts to mobility-accessible public cloud applications, does this change the nature of data collection and analysis?
FL: The explosion of public cloud applications in recent years has made the collection and analysis of data for cyber investigations more challenging. Everything is going over the Internet, and nearly everything is encrypted. We must now look at extracting meaningful summaries for applications running on the network, and continuously build coverage for popular mobile apps. It is this constant motion that has led SS8 to dedicate a team to understanding, mapping, and decoding the packets from these communication applications. Due to ever-increasing use of encryption, we have built advanced features that reveal useful high definition records about certain types of encrypted sessions. For example, the encrypted call detection feature in our software can pinpoint and differentiate voice and video calls over encrypted services such as Skype and Viber. Another example is with data breach investigations, where we can look at the certificate data and uncover when the signing authority does not match the source. Encryption is a challenge for deep packet inspection, and developing techniques to provide useful metadata despite encryption is a critical part of the SS8 feature set.
EA: Do you see security analytics moving in the direction of more automated solutions, rather than as toolkits for human analysts?
FL: Absolutely. Automation is essential across both cyber investigations for law enforcement, and for data breach investigations conducted by enterprise security analysts. There is no slow-down in the amount of threat intelligence coming in, but there is however, a shortage of experienced cybersecurity analysts who understand how to process the information or to even understand if it is relevant. The process of intelligence-to-action is manual today, and the goal of SS8 is to automate that. It’s the difference between ingesting new threat intelligence and manually having to connect the dots. Automation ensures that the dots are connected. It supports pinpointing an unknown suspect or device of interest so that the analyst can then determine if the dots paint a worrisome picture of a random collection. The next generation of software can take in the latest threat intelligence automatically and constantly match it against the history of high definition records from the network. As new learnings and threat discoveries occur, alarms go off about an indicator of compromise, and the suspect or device of interest is identified. As a secondary level, like seeing a known bad actor on the street, this new model of breach detection will look for further actions that make it obvious that someone needs to be called to investigate. The human element can’t go away completely, but it’s about allowing those security analysts and cyber investigators to do more with less.
EA: You seem to be moving toward enterprise breach detection. Is there any correlation between how you collect information for law enforcement and for the enterprise?
FL: It’s no secret how problematic breach detection is for today’s enterprise. It seems like there is a new headline each day about a company being breached. We’ve all seen the numbers: breaches going undetected for more than 240 days, with most breached companies finding out they were breached from outside their organization. Our deep understanding of communication flows and years of proven experience tracking suspects-of-interest (SOI) has given us a unique edge in being able to rewind and pinpoint the device of interest in today’s war on enterprise data breaches. It’s all about taking today’s knowledge and applying it to history. Our breakthrough Learning Analytics model ties together the high-definition records from communication patterns with today’s threat intelligence to not only accelerate the detection of breaches, but to forecast breach behavior for future protection. Network history offers the fastest means to uncover the unknown, and only when you constantly wind the clock back using the latest threat intelligence and network history can you uncover what gets missed by preventive security.