IT security analysts have a tough job and it’s getting tougher every day. Not only is the number of pieces of hay in the haystack getting bigger, the number of needles in the hay is also growing. NetCitadel aims to address this challenge with a new Threat Management Platform that consolidates event information from numerous sensors, supplements that data with contextual information about incidents, and automates responses across security devices.
Andreas Rohr is the head of strategic information security for a division of a large global energy conglomerate. Like most CISOs, Rohr is seeing an increase in the number of attempted attacks. And like other enterprise organizations, his company has implemented a number of sensors, or detection devices, to help his IT security team monitor activities, receive alerts and respond appropriately when a suspicious event occurs.
In addition to already deployed IDS sensors of a more classical nature, his company also works with next generation firewalls that are user and content aware, as well as threat detection appliances to detect more complex attack vectors.
These devices generate events from different corners of the network and the network perimeter, according to Rohr. His security analysts watch tenuously for events and alerts, and then act on each of the events manually. First an analyst determines if the event is a false positive or the real thing and sets a priority for a response action.
Depending on the event, the analyst might need more context to decide how to respond. For example, if an appliance alerts that an end user has just downloaded malware onto his PC, the security specialist likely needs to collect more information about that incident. Who is the user? What is his job role? Where is the PC located? How is it configured?
Gathering the contextual information takes time, but it’s necessary in order to decide on an appropriate response. What’s more, probing the user’s PC too intimately might create privacy issues for this European company. Nevertheless, Rohr’s company isn’t unique in its approach to threat detection and response. Many enterprises rely heavily on the knowledge and expertise as well as the manual investigations of their security analysts.
Is there a better way to do this—perhaps to eliminate some of the manual work and speed up the response process? Rohr went searching. What he came across is the NetCitadel Threat Management Platform (currently in beta test). This solution works hand-in-hand with threat detection sensors such as firewalls, web proxies, IDS/IPS, SIEMs and other devices to add on an automated context layer as well as an automated enforcement layer to security events.
The NetCitadel Threat Management Platform collects event information from the other sensor devices. It differs from a SIEM (Security Incident and Event Management) solution in that NetCitadel focuses on automating the process of building the context around a security event, and automating a set of standardized, repeatable responses that can be deployed across multiple enforcement devices. The idea is to reduce the manual tasks required by the security analyst and speed up the response taken.
The Threat Management Platform leverages the existing security infrastructure, including those devices that are not in-line on the network. Although such devices are good at identifying potential threats, they often lack sufficient context to allow security analysts to take immediate action. NetCitadel plugs this gap by automatically collecting all sorts of useful data about and around the incident to make it easier for the security analyst to do his job.
Consider the example above where a user is suspected to have downloaded malware. NetCitadel automatically drops an on-demand forensics agent on that PC in order to pull machine data and to look for indicators of compromise (IOCs). At the same time, NetCitadel is querying Active Directory to collect information about the end user; pulling logs to see what the user was doing at the time of the suspected infection; checking the reputation of the domain or IP address of the command-and-control server that the PC is being directed to; consulting with VirusTotal to learn what AV engines are able to detect the suspected malware; and so on.
The platform builds context from numerous sources beyond the original detection devices. These are the tasks that a security analyst would normally do manually, but NetCitadel does them automatically and has the information pre-fetched and waiting for the analyst’s assessment.
The platform has an event handler, which is where the sensor devices and the other data sources send their information. NetCitadel puts the information in a common format. An analytics engine correlates, analyzes and prioritizes the information to distill it down so that security analysts can take quick action.
The Threat Management Platform performs responses across existing security devices and systems. For example, the incident alert might prompt NetCitadel to elevate the logging around that user and his PC; restrict access to financial applications but not other corporate applications; and open a ticket with the help desk to reimage the user’s PC. The responses can be automated or reviewed by an analyst before execution. The Threat Management Platform learns over time what responses are commonly taken for a particular type of event, and then suggests those responses the next time a similar event occurs.
The result is much less time wasted on manual activities and the ability to respond more quickly. Since the analyst’s time is valuable, he is relieved of the burden of manually pulling much of the information he needs to make better decisions.
The NetCitadel Threat Management Platform is in beta tests as I write this, with general availability scheduled for December 2013. Andreas Rohr has been testing the platform for about a month and says the benefits he sees are threefold. First, the integrated capabilities of the platform to turn different sensor information into action save time for the security analysts. Second, the platform’s audit trail improves the ability to prove compliance with privacy mandates when investigating cases. And third, the platform provides a consistent, more automated way to respond to incidents.
As companies deploy more types and numbers of threat detection devices to monitor personal devices, corporate endpoint devices, data center servers, and everything in between, the need for a consolidating solution like the NetCitadel Threat Management Platform will grow.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. http://www.essential-iws.com) which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.