Using Network Metadata to Transform Threat Detection and Investigation

December 27, 2016

When your agency detects a network attack, you need to act fast to understand what’s going on. But getting the insights and analytics you need takes time and often doesn’t trace threats back to the source.

A new approach, pioneered by DLT partner, Fidelis Cybersecurity, bucks convention on its head. Instead of relying on system feeds and your SIEM or full packet capture (PCAP) systems to record and store network activity, Fidelis turns to network metadata. That’s because rich metadata, gathered from a network, can capture more than 90% of the useful data that a PCAP would, at 20% of the cost. Plus, you can store and analyze that data in real time, for better attack detection and remediation.

Attackers Hide in the Big Data

Metadata is important because all cyber-attacks follow the same essential modus operandi: infiltrate, establish command and control, move laterally and exfiltrate data, says Fidelis in its whitepaper: Talk Metadata To Me: How to Decode Your Network’s Deepest and Darkest Secrets.

To find attackers, security teams literally need to burrow deep into the network to find hidden exploits.  Most advanced threat solutions don’t go that deep. Capture everything solutions also create a data problem because big data doesn’t always mean smart data – analyzing or operationalizing the data gathered is often impossible. Attackers are literally hiding in that big data and the onus is on you to find them.

Finding the Needle in the Big Data Haystack

To do this, security teams have adopted a couple of approaches. Either they capture feeds across a patchwork of security products on the network and feed them into a SIEM or they invest in a full PCAP system and throw megabucks at a storage vendor to archive the masses of historical data and security analysts to parse it.

But now there’s another option – capturing and analyzing rich metadata instead, at a fraction of the cost of these alternatives and without the need for a fully-staffed SOC.

Metadata Decodes your Network’s Deepest Darkest Secrets

Metadata is critical to cybersecurity efforts because, until now, it’s been impossible to seize and store rich metadata that captures every document and communication protocol – at scale. Traditional network devices can gather some metadata, but with Fidelis Network, security teams can collect data from inside the session, not just at the high-level stream (source IP, destination IP, URL and some header information).

“...that’s important, because, the richer the metadata you have, the richer the set of questions you can ask and answer quickly and without the aid of a PhD in forensics. And the richer the set of questions you can answer, the better your chances are of detecting and stopping attacks on your network.”

With Fidelis, some of the questions you can get answered include:

• Have we seen the document or executable being transmitted before?

• Who authored the document and when?

• Does the document have an attachment, if so, is it malicious?

• What is the document type?

• Does the document have tags that describe sensitive data?

• Who else in the enterprise has a copy of the document?

• Was there any PII in the document

• Who was logged into the machine that sent the document?

From this metadata you can then learn how, when, and why you were compromised. Have you been compromised in the past? Are you a victim of a multi-vector attack? And, what’s going on in your network?

Learn More

To learn more about how Fidelis captures metadata and an overview of how the solution allows you to find attackers faster, accelerate your response, and stop attacks, download this whitepaper.