Threat Investigations Suffering from Lack of Context

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Threat Investigations Suffering from Lack of Context

Pretty much all companies fall victim to cybercrime eventually.  Whether it is directly or indirectly, the cost varies depending on the industry. Energy and financial organizations suffer the most in comparison to the automotive and agricultural businesses.  The costs incurred however, are not always withdrawals from the corporate bank account or the loss of top secret plans.  Some might be surprised to learn that the significant costs are actually in the clean up with small organizations suffering the highest cost per enterprise seat.  Source:

With financial institutions the payback is greater.  Hackers target financial institutions because the thefts are greater with less effort,” said Mike Vigue, VP of Product Strategy at Bottomline Technologies. “Stealing from retail customers is less efficient.”


Once a company realizes that its network security efforts have been compromised and that electronic theft may have resulted, many security teams launch an all-out incident response effort. The infection must be eradicated quickly because the average cost for unresolved attacks is an average of $21,155 per day! This is a hefty multiplier when you consider that it takes more than four months to resolve targeted attacks (source) plus the even longer amount of time leading up to the actual detection. Doing some quick math, you can understand that a reduction in the time to detect and clean up a breach will save the company thousands of dollars.  In fact, according to the Ponemon Institute, last year’s mean cost was $7.6 million per company.

Think about what investigators try to determine when investigating a security breach:

  • What servers or desktops were involved with the breach?
  • What resources may have been compromised?
  • How the infection entered the network?
  • Who is responsible for the malware getting into the network?

It takes the average organization a median of 205 days to detect a breach (research from FireEye).  This is why many companies are saving logs, flows and other records in massive data stores resulting in Big Data. Security Professionals know that they will need the information in the future to investigate the infections they don’t know about today.

Time for Incident Response

In most cases, it starts with an IP address.  The firewall, the SIEM, the IDS or other threat detection system raises awareness about a specific host. At that point in time, the investigation is on.  Where will the security professional go looking first?  It will always depend on the attack but, often they will search the flow collection system or SIEM.  These combined systems, contain all of the events exported from each mission critical system.  When an incident occurs, a behavior profile can be gathered which allows investigators to form answers to the questions listed above.  The faster the answers can be sought out, the lower the cost of the security event.  To improve speed, security teams need context aware security analytics.

Context Aware Security Analytics

Context aware security analytics is the process of pouring through logs and other pieces of information, correlating it with other sources ‘context’ to make it comprehensible and actionable.

Case example, the Security Analytics system is reporting a high Threat Index on an IP address that could be the victim of an attack. The IP address is correlated to a username due to the integration with Cisco ISE or Microsoft Active Directory for additional context.  The investigator clicks on the alarm and launches a report to view the flows leading up to the event. Further analysis reveals that the system was connecting to a server and transferring significant volumes of data.  Integration with the SIEM allows the analyst to pivot to a 3rd party system for additional context which reveals the files that were accessed and the other behaviors on the server that took place.   Further investigation at the Security Analytics system exposes the DNS records and Fully Qualified Domain Names (FQDNs) visited by the victim.   The FQDNs where on the malware reputation list.  We can observe when it occurred and whether or not anyone else made successful connections to the same Internet sites. 


The above context can come in the form of NetFlow, syslogs, proxy records, Amazon AWS logs, DNS lookups, URLs visited, username directories, PTAM information, etc.  Pretty much anything that can correlated with a device is context.  The differentiator between competitive systems is how easily you can pivot from one piece of context to another.  Simplicity and speed result in a shorter Mean Time to Know (MTTK).

The Heart of Security Analytics

At the heart of Security Analytics is the collection of NetFlow and IPFIX.  Cisco coined in the phrase “using the network as a sensor”.  Flow data provides a tell all of what the device has been doing on the network.  By constantly analyzing this data, behavior profiles can be compiled and baselines can be established on normal communication patterns.  With each event triggered, Threat Indexes are generated and real concerns rise to the top of the alarm table. The viewer simply has to drill in for actionable intelligence.   

Case example, since flow collection focuses on internal as well as external communications, systems that shouldn’t be communicating are easily detectable by setting up communication policies.  An effective Context Aware Security Analytics system can identify these behaviors, bring them to our attention and provide additional details to investigate further. Traditional detection solutions such as firewalls will not identify these internal lateral connection events.

"Security analytics is becoming the primary defensive tool we have for discovering when breaches have occurred and shutting them down before massive damage is inflicted," said Richard Stiennon, chief research analyst for IT-Harvest.

Today’s bad actors are specialists. They are often well funded attackers with the skills to needed evade most threat detection measures. Anti-virus, firewalls, SIEMs, etc. are still solid security efforts but, they don’t look for internal attacks in a way that only leveraging the network as a sensor can provide.  Context Aware Security Analytics in the Incident Response System provides the additional detection methods and quick access to the details needed to gain a solid foot hold on every event investigated. 

Feedback for Threat Investigations Suffering from Lack of Context

Leave a comment

Featured Events