Security Attack Analysis for Finding and Stopping Network Attacks

The bad guys are winning.

No, this is not a review of the latest superheroes movie. It is the plain and simple truth when it comes to network security attacks. We’re all too familiar with the names of big, formerly trusted organizations who have recently suffered breaches. And we’ve all been affected, both professionally and personally, by these breaches.

So rather than rehash these attacks once again, let’s take a brief look at an approach that can help make sense of the barrage of alerts from security systems, which instead of adding awareness, are merely hiding the needle in the haystack.

Current security systems do their job well – nowadays most would argue much too well. For fear of missing a critical event, security systems err (heavily!) on the side of caution. In doing so, they produce false-positives – a lot of them. The volume of these alerts can quickly become overwhelming, rendering them almost as useless as no data at all. Remember, this is exactly what Target admitted. They did see alerts when the initial hack happened, well before any data was taken, but those alerts went uninvestigated.

On the positive side, false positives can be reduced, and sometimes pretty quickly. Many false positives are a result of some routine activity on your network that may be classified as out-of-the-ordinary for a general network. And because it’s routine on your network, it generates lots of security alerts. Armed with detailed information at the time of the alert, quick analysis will indicate whether or not this condition is normal for your network, and if it is, you can retune your security solution to ignore this condition. Every time you are able to do this you make your security solution more and more effective – a lot less hay and more needles.

This approach is called attack analysis, and it relies on network recording and network forensics to supply detailed, network-based information that can be used to unequivocally determine whether or not a security alert is the real thing. And if it is, you have a complete recording of the network activity from before, during, and after the attack so you can quickly stop the attack and assess the damage.

Interested in learning more? Check out our complete webinar on this topic, including detailed use cases, at http://www.wildpackets.com/resources/ondemand_webcasts.

Leave a Reply