Published on July 7th, 2016 | by Tony Thompson
WTHeck is an HDR?
High-Definition Records (HDRs) are SS8â€™s answer to the lack of total network visibility in todayâ€™s enterprise. As both networks and attacks on those networks have become more sophisticated, you simply canâ€™t rely on basic flow information from NetFlow or its equivalents to tell you if your network has been breached.
The HDRs generated by SS8 BreachDetect offer an unprecedented level of detail about network sessions because they represent whatâ€™s happening on the network at the transaction, flow and session levels, not just the flow level. HDRs improve on basic network and flow statistics by adding an application metadata layer, supplementing network data and flow stats with rich layer 7 information that greatly increases an enterpriseâ€™s visibility into network traffic.
But why is it so important to have access to layer 7 information instead of just layer 3 or 4?
Letâ€™s take a look at an email session: a single flow can carry multiple messages, each making up a transaction between the client and the server. NetFlow canâ€™t distinguish between these multiple transactions, and at best will provide a summary of the entire flow. This means you would miss out on valuable information that HDRs generate, such as To, Cc, From, and Subject fields, as well as information about any attachments.
HDRs Carry More Insight
Now, imagine these emails are being sent through your corporate network. On the server is an email waiting to be downloaded. This particular email is a spear phishing attack containing a malicious attachment. An HDR would be able to flag it as a threat, after analyzing the attachmentâ€™s MD5 hash value and finding that it matched an Indicator of Compromise (IoC) reported by a threat feed. With a NetFlow record, all youâ€™d be able to see is that an email was downloaded, and 243 days later, youâ€™ll realize youâ€™ve been breached.
HDRs can also be used to detect and report obfuscated protocols like Tor, which is designed to be difficult to detect on a network. HDRs are enriched with application metadata, even for difficult-to-detect protocols like Tor. Combined with flow statistics such as byte counts, it is possible to determine how much data is entering or exiting a network. For instance, large amounts of outbound Tor traffic could indicate that the protocol is being used as a data transport to exfiltrate confidential files.
Beyond whatâ€™s discoverable from the flow itself, HDRs are also enriched with user, device and host identity, as well as geolocation. Because IP addresses are often dynamically assigned, identity mapping makes it possible to associate a network session with a specific user and device to follow that userâ€™s activity on the network. And the ability to identify connections to IP addresses in countries not ordinarily found in the network may warrant attention, especially if the protocol classified by the HDR is suspicious.
Learn more about HDRs and how they can offer you better visibility into detecting and forecasting breaches on your network, by downloading our free whitepaper.