Page 42 - CDM-Cyber-Warnings-March-2014
P. 42
Amplify the perimeter defenses they’ve already invested in Get started sooner using the data they already have Get results quicker by reducing overall time to detection and mitigation Find answers faster by reducing false positives, while running to ground the true attacks Imagine a security analyst receives an alert that a host on a network has communicated with a new botnet command and control server. This identifies a known bad host on the network that the analyst can open a ticket on to remediate. The security analyst creates the ticket, but also wants to know if the alert indicates a larger infiltration than just the one host. How was the host infected? How long has it been infected? Who communicated internally with the now infected host? Was it a file download? It would be difficult—if not impossible—to get these answers from the SIEM or other perimeter defense system. With network behavior analysis and visualization, however, the security analyst can fuse secondary data sources from devices such as next- generation firewalls or application metadata sensors with other network data, visualize it, and identify behavior patterns across the network similar to the alerted behavior. This transforms the alert into an indicator of compromise, intelligence that leads to faster and more complete mitigation of a compromise. The analyst gains a fuller understanding of the scope of the attack, allowing complete mitigation and remediation of all affected systems, not just the one alerted on. This adds tremendous value to the existing SIEM. Figure 1: While traditional SIEMs provide correlated logs of alerts, behavioral analysis and visualization provides the context behind every threat in order to mitigate faster and more completely. " # % " $ " # ! !
