We recently announced the latest version of the Bricata Network Security platform. This update adds powerful support for the MITRE ATT&CK framework, support for high-density data nodes to improve storage and scalability, alert grouping for streamlined management and response, support for virtualization on Amazon Web Services (AWS), and more.
“We’re committed to using the MITRE ATT&CK framework in our solution and will continue to build out this portion of our product experience,” said Bricata CPO Andre Ludwig. “We’re also constantly refining our platform to make our UI more intuitive and our workflows more goal-oriented. The most recent updates dramatically simplify security operations center (SOC) analysts’ workflows that enable analysts to focus on what should matter most – investigating alerts, proactively hunting for threats, and keeping the business network secure.”
Bringing the MITRE ATT&CK Framework into Bricata
A highlight of this release is the addition of BZAR scripts (Bro/Zeek ATT&CK-based Analytics and Reporting) that give security analysts additional context around alerting and network metadata as they align to the MITRE ATT&CK framework. These scripts produce alerts on network traffic that matches the techniques in the ATT&CK knowledge base. This helps analysts understand what malicious activity on their network is trying to accomplish (i.e., which alerts indicate an attempted privilege escalation, what alerts indicate lateral movement, etc.).
These scripts also produce metadata that security analysts can use in investigations and threat hunts. For example, a SOC analyst could run queries to show all MITRE recon attack attempts on their network from the past two days.
Improved Storage and Scalability
Another major addition in this release is support for high-density data nodes. This allows customers to store and query more network metadata and makes it easier to scale their storage space up as needs change. More storage space gives security analysts a larger window into the past (up to 90 or 120 days depending on hardware specifications) for threat hunting and/or forensic investigation. For customers that need long-term metadata storage, high-density data nodes offer a simple and powerful solution.
Making Analyst’s Difficult Work a Little Easier
Security analysts have difficult jobs, and in the latest version of the Bricata Network Security platform, we’re doing everything we can to make them easier. This includes additional capabilities designed to help simplify analyst’s workflows, such as:
- Alert Grouping – Bricata now supports grouping of alerts based on type and will present alert groups rather than each individual alert when appropriate. This significantly reduces the volume of alerts an analyst needs to parse and speeds up alert investigations.
- Customizable Dashboards – Users can now create custom dashboards in the central management console (CMC) using a variety of widgets. This allows analysts to focus on the information most useful to their network environment.
- Added “x-forwarded-for” to Alert Filters – This capability, which is unique to Bricata, allows customers that have complex environments with multiple proxies to quickly identify the source of traffic through those proxies. Most tools normally only identify the last hop, but this new analytic helps customers with complex networks get added visibility into the origin point of important traffic. This helps security teams maintain visibility into their entire environment.
- Task-based PCAP Retrieval – Users can now download packet captures based on specific alerts and filters and get notified when the system has retrieved this valuable network traffic for them. This allows an analyst to continue with their prior workflow when retrieving a PCAP or SmartPCAP and download the PCAP when it is ready.
- Integration with the Cuckoo Sandbox – Bricata users now have the option to double-check suspicious files by easily sending them to the Cuckoo Sandbox, a leading open-source malware analysis system, to be detonated and analyzed in a secure, isolated environment. This is a useful way to reduce false positives and “tune” automated threat detection scripts and policies.
- SNMP Support – Users can now import and configure SNMP support on all appliance models via the CMC GUI.
- Support for Data Nodes on AWS – Bricata’s data collection sensors now run on AWS, so customers can deploy the entire network security platform in a virtualized environment.
Other updates in this release include improved system health reporting; TLS and FPS support; improved PCAP management; metadata and alert filters; system auditing capabilities; internal component upgrades; improved search against alerts; and more.
Bricata’s network protection solution for enterprises provides full-spectrum threat detection, network visibility, threat hunting and facilitates post-detection response in a single platform that is easy to deploy in the cloud, on-premises or in hybrid environments. The solution gives organizations contextual insight into everything transpiring on their networks that enable faster threat response to defend and secure their business.
To see the latest version of Bricata’s solution in action, you can request a demo here.
*** This is a Security Bloggers Network syndicated blog from Bricata authored by Bricata. Read the original post at: https://bricata.com/blog/product-workflow-improvements/