Spot Malicious Activity in Your Flow Logs with Dome9

An enterprise’s ability to respond to threats depends on how quickly it can spot and analyze them from a sea of alerts generated by various detection systems.  Security operations teams are typically expected to detect anomalous activity by analyzing threat feeds from multiple logs. Unfortunately, the overload of log data has significantly complicated matters.

Log Monitoring Challenge

The below example shows how non-intuitive it is to extract insights today from a typical flow log.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/06/01-1.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/06/01-1.png” alt=””] Figure 1: At first glance, IP/port information does not reveal anything anomalous

To answer questions like:

1.What type of asset is this?

2. Is an internal service being accessed?

3. Is that destination address malicious or not?

is not a trivial exercise. As the number of logs grows, this problem is exacerbated. In order to ensure they maximize their productivity, analysts are pushed to try time saving workarounds.

Workarounds/Limitations

1. SOC teams filter on “accept” traffic before it enters a SIEM due to enormous volume.

2. Another technique is keeping only the inbound and outbound traffic (the traffic to and from your network to the internet) rather than storing all source/destination traffic logs

3. They can also monitor a certain characteristic, or watch when a certain event crosses a specific threshold.

These are shortcuts that essentially trying to make the analyst more efficient by only looking for traffic that is “assumed” to be bad. There are two flaws in this approach:

1. At the time of collection, if data is filtered, you lose the context since the information is fragmented.

2. The filtered traffic can house the malicious activity, and not having this filtered traffic to analyze means the analyst only has a partial view of the network. For example, “Reject” traffic provides valuable insight into potential brute force attacks.

Reducing amount of data leads to the risk of losing context and results in a poor signal to noise ratio. Unfortunately, getting the contextualized data just in time to the SOC analyst is still an incredible challenge. Many security teams still manually monitor data streams, and may even write their own scripts to process, enrich and analyze data. All of those streams of data need to be constantly managed to ensure that they are processed properly.

Dome9 Enriches Flow Logs and Delivers Fast Insights

The overload of data makes it hard to find the needle in the haystack among interesting events. Dome9 automatically analyzes ALL your flow logs and provides additional enriched context that can be piped to your SIEM tool. The log data is enriched with threat intel feeds, geo databases, along with network/account activity and other cloud sources that provides rich context for the analyst.

[wp_colorbox_media url=”https://dome9.com/wp-content/uploads/2018/06/02.png” type=”image” hyperlink=”https://dome9.com/wp-content/uploads/2018/06/02.png” alt=””] Figure 2: Enriched Flow Log now reveals malicious activity

When paired with security information and event management (SIEM) systems, Dome9 can help security teams identify anomalous network or user activity hidden in the logs. This proactive approach can help organizations counter threats before they even gain a foothold.