The DNA of Detection & Response

Thursday, August 2, 2018

The migration from prevention to detection defenses is driving a new perspective on the DNA required to be successful.  Decades of preventive defenses have ingrained concepts of sandboxing, crowd sourced visibility, cloud-based intelligence, and using machine learning anomaly detection to prevent threats with static and behavioral analysis.  So, it is only natural to leverage these concepts when thinking about detection and response. 

Most attacks continue to leverage email for delivery, however, are now using macros or file-less methods to avoid preventive defenses.  Compromised hosts and access credentials bring up identity as a new perimeter in the game of a spy versus spy.  The advent of Windows 10 providing multi-factor authentication and removing the ability to scrape credentials is timely.  Still, the time between infection and detection remains in months while research shows attacks move laterally in a few hours once inside.

Detection and response become a new focus for post breach attack visibility, and we bring along the concepts of preventive defenses as this is what we know.   Larger enterprises often leverage APIs to integrate multiple ‘best-in-breed’ MQ leader security solutions, such as next-generation firewalls, endpoint prevention, web and email gateways, cloud access security brokers, and security information and event management.  A rich fabric of preventive defenses with the central collection of unstructured logs and events for normalization and correlation.  More advanced deployments will apply behavior analytics to the collection of logs and events with some degree of success given specific use cases and supporting data with enough variety for anomaly detection.

Does this security stack work for detection and response?  While rich on preventive defenses at multiple points and meeting compliance regulations, it is not very effective for detection and response.  There is a different DNA model for detection and response, it is metadata, or information about other information.  Metadata enables fast queries, hunting, and investigations often providing 90% of the information at 20% of the storage expense making it useful for both real-time and retrospective analysis.  Metadata comes from curated security stacks designed to collect, share and optimize its value specifically for detection and response.

As a simple metaphor and example, consider phone conversations as our primary data source.  You could record conversations much like packet-captures to learn and reference, however, storage fees are expensive.  With recordings you cannot query against them nor apply any intelligence sources, you must listen to each recording to derive any knowledge.  So, recordings are great for forensics and best utilized on demand when evidence is required. 

As another option, you could collect simple metadata, like NetFlow’s from networks to learn source, destination, protocol, service and duration, however, this simple level of metadata lacks context for the phone conversations.  You could also add logs and events on the phone conversations to profile specific devices, activity, blocked calls, out of service, normal behavior, abnormal behavior, etc.  This enables timelines and storyboards of activity, however, what is the content and context of the phone calls?

Rich metadata comes from the deep inspection of communications and content often encoded and under multiple layers of obfuscation.  What if you could query thousands of phone calls by tags and specific metadata elements?  This would allow you to quickly query, filter and hunt for investigations with respect to content and context.  For example, you could focus on phone calls related to vacations and sunburns in a specific location that involved a trip to a local medical clinic as a source of fraudulent insurance claims.  Even better, what if the metadata model allowed you to create your own specific tags for content?  For a real-world example, you can use metadata to profile content by an author, or a specific footer in documents, or who sent and received a specific document, plus what else has a specific user accessed and sent out over multiple communication channels. 

Metadata is designed for threat detection, data theft and data loss with a cross session analysis perspective not seen within specific alerts.  So, the DNA for detection and response is rich metadata from network, endpoint and cloud environments.   We need to move beyond common known preventive defense concepts if we are to be successful with post breach detection and response.  To learn more about metadata and specific case studies, please read our white paper - What’s Hiding in Your Metadata.

How did Fidelis develop a rich metadata model?  Involvement in over 4,000 security cases for commercial and federal customers, plus expert testimony in over 100 court cases has provided a wealth of real-world experience for incident response.  Fidelis solutions for network, endpoint and deception all contribute rich metadata and are integrated for incident workflow of detection and response with a high degree of automation for common security analyst tasks.   We also provide a new Managed Detection and Response (MDR) Service using our curated security stack designed for detection and response leveraging the DNA of our rich metadata.

- Tom Clare
Sr. Manager, Product Marketing