Sensor Feng-Shui and the Art of Metadata

by Jimmy Gaughan on January 17, 2020

In a previous blog, we discussed how sensor placement strategy is a key component of overall network visibility and analysis. While the last blog sought to establish a framework for approaching sensor placement (re)-evaluation, this blog will dive more into the technical details, use cases, and benefits that will follow that evaluation.

As discussed in the previous blog, sensors are essentially the eyes and ears of your network. The amount of useful information that they provide is directly dependent upon the positioning of those sensors within the network. For example, a sensor placed inside a network firewall is able to see only the traffic that is allowed past the firewall, or internal traffic that stays entirely within the firewall. However, it will not be able to see any traffic outside of the firewall due to access controls that may prevent visibility outside the network.

In order to establish holistic network traffic analysis (NTA) and data loss prevention (DLP) capabilities, organizations will have to consider the balance of their sensor placement. One useful way to think about this balance challenge is the concept of “Sensor Feng-Shui.”

Sensor Feng-Shui

Sponsorships Available

Feng-shui is an ancient Chinese philosophy that guides how environments are built, seeking to maximize harmony with natural forces. While there are many different schools of thought on how to properly execute feng-shui, most applications will center around an object’s orientation – whether in relation to doorways, natural elements, cardinal directions, etc. The concept of orientation and direction is a very useful one when it comes to network sensor placement strategy.

Ideally, sensors should be arranged in a manner that allows them to cover all possible attack vectors while using the fewest number of sensors possible in order to maximize visibility. This focus on minimizing the number of sensors used is vital to preventing information or alert overload, as too many sensors will generate redundant alerts that can quickly overwhelm analysts and prove counterproductive to the end-goal of speeding up detection and response capabilities. This becomes an optimization problem: how can you minimize the number of sensors while maximizing visibility. At the same time, organizations must orient sensors in relation to critical network assets, such as crown jewels, to promote both optimal and maximal visibility. This balancing act is the essence of ‘Sensor Feng-Shui.’

Traditionally, organizations have relied on perimeter defenses (to include firewalls, intrusion detection systems, intrusion prevention systems, and other network traffic analysis appliances) – sensors placed at the network perimeters with the objective of passive or active monitoring of traffic at the border. However, as networks have become increasingly distributed and more complex, this strategy has become far too risky and porous. Attackers that manage to evade detection at the early stages of an attack kill chain may have freedom to move undetected by the perimeter sensors. With the flaws of this traditional approach readily apparent, we have seen a shift in sensor placement strategy that seeks to maximize visibility, while reducing ambiguity around detecting events along the attack path on or near crown jewel assets.

However, simply evolving past perimeter-oriented defenses is not enough. Sensors are still typically configured to alert on potentially malicious traffic based on rules. While this may sound good in theory, it can quickly become another hindrance if sensors are not placed in locations to not only increase visibility but also to detect anomalies in proximity of assets that are vulnerable. As alerts grow in number, analysts are left to manually sort through hundreds, if not thousands, of potential false positives, redundant with other alerts, exhausting many human calories.

Therefore, one of the primary benefits of orienting sensors in accordance with the Sensor Feng-Shui philosophy is the ability to minimize alerts while simultaneously gaining actionable context from sensor-collected metadata. Proper sensor placement contributes to an ability to optimize time to focus on the events that matter thereby increasing the chances for teams to better defend their networks.

Fidelis Network Sensors and Metadata

Fidelis sensors promote full visibility bi-directionally on all ports and protocols. When placed in the right locations, they have the ability to monitor the network environment for activities that may indicate advanced threats, malware, and data theft. Fidelis sensors analyze network traffic, capture and store alerts and session data, and store non-selective network session metadata for retrospective analysis. The Fidelis Web Sensor will analyze all received content and can direct the external network device or web proxy to prevent web requests or replies or redirect the user away to informative policy violation web pages. Since many web proxies support the decryption of encrypted traffic, the Fidelis Web Sensor can receive decrypted web content over ICAP / S-ICAP for inspection. This enables the Web Sensor to analyze all web content — even over encrypted web sessions.

This is possible because of the Fidelis approach to metadata. Rich metadata is the DNA for security analysts and services to drive cross-session analysis, multi-faceted and behavior analysis. It provides content and context that are indispensable for post-breach detection and responding to advanced threats and data theft or loss. Structured and enhanced metadata are also the basis for machine learning models within specific use cases. Metadata is information about other information and can capture 90 percent of the data captured by PCAP for about 20 percent of the expense to store it. Imagine having 10,000 recorded phone calls – you could listen to them tirelessly to learn details, however, even better would be to quickly grasp the critical info from those messages (e.g. the who, what, when, where, how) , including specific tags about the content and context to quickly query and investigate.

From Theory to Practice

As previously stated, one of the biggest benefits organizations receive from executing sensor placement in accordance with the Sensor Feng-Shui philosophy is the ability to capture and correlate data from disparate sensors that might not have been able to communicate otherwise. To illustrate this, let’s look at a case study from a leading law firm that sought to protect sensitive client data related to mergers and acquisitions, financial results, executive changes, and other data that is a prime target for attackers. Their biggest challenge was figuring out how to simultaneously compare historical security activity on the network against the current real-time data.

Following an initial assessment, the law firm was pleased to find that Fidelis provided them with an unprecedented level of visibility, which enabled them to analyze network packets and sessions, both in real-time and retrospectively; spanning all ports, protocols and systems 24/7.

The primary benefits achieved by doing so were:

Reducing the time it takes to detect and resolve incidents: Fidelis enables security analysts to move from alert to investigation using a simple interface, quickly receive relevant information and apply threat intelligence to network data.
Correlating seemingly unrelated network activity and behavior: By applying automated hunting and security analytics to retrospective metadata gathered on every network session, analysts can correlate seemingly unrelated network activity.
Identifying and stopping advanced targeted attacks as they are beginning: By quickly identifying malicious behavior including activity in network metadata, command and control activity and lateral movement, analysts can stop data theft before it takes place.

If you would like to learn more about the benefits of holistic visibility and rich metadata, please read more in our white paper, See More Across Your Environment: Align Visibility for Post-Breach Detection and Response.