10 Impossible Things You Can Do To Secure your Network with Metadata

Metadata. It’s not a word that springs to mind when you think about detecting and stopping attacks on your networks and endpoints. If you’re investigating an attack you probably pull logs files and Netflow data to try and make sense of what’s going on. Nothing wrong with that. But as with all things cybersecurity, there’s always more you can do. And that’s where metadata comes in.

Metadata is data that describes other data. And it can be a powerful ally in your battle against cyberattacks. And I don’t mean Netflow. Rich metadata can be queried to answer incredibly detailed questions about your cyber posture and investigate suspected incidents in seconds.

Here are 10 things you may not know you could do with metadata care of our expert cybersecurity partner, Fidelis:

1. Find everyone who received a phishing email in a couple of minutes, not days.

The moment you receive an alert about a phishing email, what do you normally do? You try to move fast to stop more users clicking on the emails, right? But how do you find those emails? IT is busy and you need to move quickly. With rich metadata you can easily locate similar messages in just one search so that when IT is free you have the contextual details you need to resolve the problem.

2. See if a new vulnerability has been exploited in less than 60 seconds

When new malware, campaigns, or zero-day exploit hits the headlines, you need to know if there’s a chance that your network is vulnerable. Threat intelligence feeds can help detect future events, but how do you know that you haven’t already been compromised? Stored metadata lets you do a backward search along specified criteria to help you determine which evens have taken place in your environment.

3. Find “man-in-the-middle” attacks

These attacks occur when threat actors slip between you and the server and they start capturing, sending, restricting, or altering confidential data meant for someone else. Metadata lets you zero-in on these attacks and identify when network traffic is being diverted.

4. Find weak encryption points in the network

Expired SSL certificates can be impossible to track down. But by monitoring every SSL transaction and storing the metadata, you can easily search for SSL headers and identify weak and expired certificates.

5. Find sensitive data as it traverses your network

Why is this important? You need to know if, when, and how sensitive data is leaving your organization or just travelling across your internal network. With a quick metadata search you can find and analyze all of it and find out who sent the data, where to, and how.

6. See lateral movement in your network

Once your network is penetrated, malicious actors have an uncanny knack of moving sideways and it can be weeks or months before your agency knows that they are even there (this is what happened with the OPM data breach). While alerts may be going off like crazy, you can’t identify the root cause. When you do get time to threat hunt, you must rely on Netflow information which is encrypted and lacks context. Metadata, on the other hand, gives you granular visibility into what’s happening on the network and endpoint so you can track attackers and reconstruct their activities for more effective remediation.

7. Contextualize and prioritize an alert

Context is everything when your network is under attack. Without context (the why and how of an alert) how do you react? You need to discover the root-cause of an alert so you can prioritize actions. Metadata gives you a view of all network communication so you can understand events taking place on the network.

8. Get a historical view of remote desktop sessions

If a hacker locates a remote desktop app on a victim’s computer, brute-force entry becomes easy. You can use metadata to figure out who is going through your network using remote desktop sessions making it possible to easily analyze activity and trace threats to their source.

9. Identify rogue applications

Malicious data capture through installed applications is becoming increasingly common. Rogue applications can transmit information about user’s operating system, other applications and browsing habits – basically everything an attacker needs to know to create a spearphish campaign or watering hole attack. Metadata gives you visibility into indicators and attributes about transport and protocol applications as well as file objects in transit so you can quickly react to malicious traffic and objects.

10. Detect credentials in the clear

When an employee logs onto a government network or application from a Wi-Fi hotspot or even a home network using their work credentials, they are often easy pickings for username and password theft. Protocols that transfer credentials in the clear, like POP3, IMAP and telnet continue to be used by attackers and can be hard to detect. Not so with metadata. You can see what’s happening on your network and have the context to do something about it.

To learn more about why metadata is a game changer in the security space (think of it as Netflow on steroids), check out the white paper – 10 Impossible Things you can do with Metadata – for yourself.