This series of articles and the accompanying videos are part of an ongoing project to illuminate the people, products, and vendors that make up the IT security industry. The vendors paid for the video production.
Despite years of investment in multiple layers of security defenses, every organization is still wide open to targeted attacks. It is practically impossible to stop all possible attacks. Even Next Generation Firewalls, complete alerting and logging collected in a SIEM, and universal patch management and vulnerability discovery has proven to be ineffective against threat actors who are motivated, skilled and determined.
In an environment of constant unrelenting attacks network packet capture and advanced security analytics are needed to discover the attack in progress and provide the intelligence to minimize the damage done. Advance knowledge of the reconnaissance phase, early probes of vulnerable systems, suspicious lateral movement, and attempted exfiltration, can give the cyber defense team the time they need to thwart the attack, and prepare for the follow on attacks.
I spoke with Dan Holden, Director of Arbor Networks’ ASERT research lab, about their acquisition of PacketLoop last year. Arbor has made several forays into enterprise solutions over the years with IPS appliances and DDoS defense solutions. PravailSA is a tool for applying data analytics to captured packet data.
Pravail Security Analytics allows an analyst to zoom in to minute details, and zoom out to get the big picture. It uses a timestamp for each packet so correlation is time based. You can look as closely as a suspicious attack embodied in a probe involving a single packet. You can then pivot off that probe to discover all the devices touched by the same source IP address or look for all suspicious activity around the target machine.
The “loop” part of PacketLoop is the ability to replay recorded data through an updated engine as new intelligence is discovered. It would be trivial to discover if attacks had been recorded against OpenSSL using the Heartbleed bug if you had the captured network traffic.
In addition to the interview with Dan Holden below, download the free white paper I wrote which was sponsored by Arbor Networks here.