This blog was originally published on LinkedIn.
Vendors who are trapped in a time warp often tout traffic flow analysis as a great way to detect and analyze behavior anomalies inside networks. I have a problem with that because it’s decades-old technology dressed in a new suit. Originally conceived to monitor network uptime, traffic flow analysis was retooled to look for denial-of-services attacks. In its latest incarnation, vendors who peddle flow analysis are now telling customers it’s a great way to find anomalies that might indicate compromise and bring speed and efficiency to incident response.
Basic questions occur to me when I consider how any technology solves problems. With flow analysis, is the vendor credible because its product improves how threats are found? Does it improve the human analysis of threats by enhancing investigation speed and efficiency?
As originally intended, flow analysis works well for traffic usage statistics and for finding network health problems. But it falls incredibly short in the detection and analysis of behavioral anomalies when it’s critical to identify and stop in-progress cyber attackers in your network.
Why flows blow
Finding the behavioral context in flow analysis requires highly-skilled security experts to mine and analyze data packets and logs. It’s often done manually with outdated tools. This process makes it difficult to correlate events and differentiate odd behaviors from attacker behaviors. It’s also costly in terms of human capital.
For example, flow analysis tools claim to be great at detecting botnets before they wreak havoc. Sounds scary. But what if it’s just a spam relay? While you were disabling a noisy, opportunistic threat, a potentially catastrophic, high-risk attack is proliferating right under your nose through hidden tunnels in HTTPS traffic.
Looking for abnormalities or irregularities ensures that is all you will ever find. And finding odd, anomalous behavior does not always mean an attacker is in your network. Attackers who are targeting you specifically will be smart and their behaviors will be intentionally elusive.
The race to find attackers inside networks in the fastest, most efficient way possible requires a lot more than repurposed stone-age monitoring tools that only find anomalous behavior in network usage statistics.
Going against the flow
In contrast, using artificial intelligence to automatically parse and analyze metadata from captured network packets – which protects privacy without prying – enables security teams to find attackers faster and more efficiently in every phase of the cyber-attack kill chain.
These phases include hidden command-and-control communications, internal network reconnaissance, lateral movement, the early signs of a ransomware attack, botnet monetization behaviors and data exfiltration.
It’s also critically important to automatically score and prioritize compromised hosts to know which are the victims of opportunistic threats and which represent high-risk, high-stakes attacks.
This automation enables a junior security analyst to handle threat hunting, detection and attack prioritization in a matter of minutes instead of requiring a senior security analyst to spend days or weeks using flow analysis as an investigative tool.
Metadata bridges the gap between conventional tools and raw analysis by enabling the detection and understanding of true attacker behavior at high speed. This method of analysis delivers the scale to keep up with massive amounts of data on an ever-growing infrastructure.
Applying artificial intelligence to metadata in calculating the accuracy of threat certainty and risk enables security analysts to attacker detections that matter most. Metadata analysis contains the richness to detect, triage and respond faster by digging down into the protocols associated with the domain of interest.
Think about this when you compare the use of flow analysis to find network behavior anomalies with AI-based metadata analysis of attacker behaviors:
- Metadata works in real time. Flow analysis is slow – it’s a collection of metrics from packets and cannot perform real-time packet analysis.
- Flow analysis requires a skilled security analyst to parse through metrics about network connectivity to find an attack and correlate anomalous network events. This manual approach slows down the entire threat hunting process.
- Metadata is rich and exposes the entire threat scenario. Flow analysis only identifies general network metrics at a high level and often misses website names, users and application data needed to make decisions.
- Flow analysis lacks the information that a security analyst needs to take quick action, forcing reliance on other systems to interpret and understand data.
- The need for secondary systems and a lack of context prevents flow analysis scaling. Even worse, it creates more work for security analysts, giving attackers more time to spy, spread and steal.
It’s time to get rid of flow analysis and consider a purpose-built automated threat management approach – preferable designed in the 21st century – to quickly find and stop modern cyber attackers in your network.