5 metadata use cases every CISO should know about

If you enter “‘Big Data definition” in to any search engine, you will get the following result ‘extremely large data sets that may be analysed computationally to reveal patterns, trends, and associations, especially relating to human behaviour and interactions’ or the Wikipedia result which is ‘Big data is data sets that are so voluminous and complex that traditional data processing application software is inadequate to deal with them. There are three dimensions to big data, which are ‘Volume, Variety and Velocity’’.

Any data travelling in to, moving around or travelling out of your network has the potential be a cyber security risk, differentiating between good and bad data for any sized network is difficult, costly and requires staff to be clued up on the very latest security tools, which requires time and continued investment (precious and rare commodities in the Enterprise space).

At Telesoft we use powerful hardware-accelerated Flow Monitoring to inspect 100% of every packet of data moving through the network to generate un-sampled flow records at 100Gbps plus i.e. taking in network data from lots different sources to create readable L7 enriched meta-data records.

We have put together a list of valuable use cases for metadata that every CISO should be considering:

USE CASE 1 – SSL

Secure Sockets Layer (SSL) is a protocol that encrypts a message between a sender and a receiver to avoid third-party snooping. It is an industry-standard cryptographic technology required to secure a connection between a web server and a remote browser. SSL attackers are frequently armed with an open source created (via Open SSL) web server to conduct SSL transactions, allowing them to open a communications channel between their victims infected device and their own system.

Our solution, use our un-sampled flow monitoring probe to monitor SSL certificate exchanges on your network and use the resulting meta-data to identify infected endpoints.

USE CASE 2 – DNS

When it comes to Domain Name Systems (DNS), it’s all about visibility or lack thereof. The DNS system works by ring fencing and protecting your valuable Domain Controller. When a networked computer calls for a certain website, the Domain Controller will look up the website. However, because of the security surrounding the Domain Controller, it is very rare (and just bad practice) that it will go directly to the internet to make the request, it will instead route through a DNS server, which uses multiple layers of recursion to push the initial request to an internet connected machine. This process is great but it does have a drawbacks, namely keeping the individual IP address of the requesting computer hidden as the DNS server logs will only show the IP address of the Domain Controller.

To solve this problem analysts need to monitor traffic on a 1:1 basis, giving them full visibility of DNS routed traffic. This will allow them to use the resultant meta-data to track conversations between the Domain Controller and users i.e. matching end-points to DNS requests.

When talking about ‘Big Data’ in the past (we are talking 2 years ago here), you’d be talking about huge networks where you would expect lots of data or a predictable surge caused by an unusual event in your network but today in 2018, data usage is such that the term ‘Big Data’ is no longer relevant. Here at Telesoft we would argue that all data is ‘big’, in terms of volume, variety of data types and the speed at which it moves around your network.

USE CASE 3 – HTTP

There are many forms of Malware that may affect a device on your network such as computer viruses, worms, Trojan horses, ransomware and spyware. These types of malicious software are designed to steal, encrypt, delete, alter, monitor, hijack or compromise devices without the user’s permission.

Hackers use a variety of means to spread malware and infect devices and networks, if you have an infected device on your network, it is likely sending repeated connect requests to dormant or non-existent domains and URLs and returning 404 (not found error messages) or 403 (Forbidden HTTP) codes.

Our solution is to use meta-data to track and capture HTTP return codes, if a code is returning an unusually large amount of times, this indicates Malware is making the requests rather than the user. Recognising this behaviour is key to catching malicious activity before it can disrupt your business or organisation’s daily operations.

USE CASE 4 – DNS TUNNELLING

Domain Name System (DNS) is often a target for misuse, hackers will use DNS tunnelling to disguise a malicious protocol among the tunnelled traffic. Generally DNS packets are always permitted to move through the network unhindered, as it is a core function and has previously been seen as a relatively low security risk. Those who use DNS tunnelling for illegal gains, rely on the fact that DNS is poorly or not often (sampled traffic analysis) monitored. A DNS tunnel can be used for command and control, data exfiltration or tunnelling of any internet protocol (IP) traffic.

Detecting a DNS tunnel relies on your networks administrators’ ability to visualise and baseline the entire network. Un-sampled flow monitoring allows you to take advantage of DNS meta-data to identify anomalies and outliers, for example unusual patterns of transmissions requests, incorrect packet sizes or unexpected newly observed DNS infrastructure that may indicate a compromise.

USE CASE 5 – DECAPSULATION

Data encapsulation is the process where network data is wrapped up and transmitted over a communication network. At the sender, one or more pieces of original data, which may already include routing headers and addressing information, is encapsulated and new headers added so that the data can be routed to the receiver. At the receiver end, the new header is used to unpack the original data from the encapsulated package.

Data decapsulation is simply the reverse of encapsulation. This is when an incoming transmission (to be received by the destination computer) is unpacked as it moves up the protocol stack. However, the challenge for system analysts/administrators is that not enough of the data is unpacked to form a chain of events for a flow. Usually tunnelled data is grouped together as a whole making inspection of individual flows impossible. A hardware accelerated product like the 2x100GbE IP Flow Probe can parse the packets, then intelligently strip the outer header, process and load balance, to avoid overloading software processes. Allowing you to see valuable detailed flow data inside the tunnel, to track a potential cyber incident.