The Value of a Network Sensor

As the cybersecurity world evolves, organizations are increasingly reliant on technology and devices such as network sensors to protect their digital environments. Network sensors measure network performance, connectivity, and service availability, and they provide real-time and historical data for network administrators. These valuable devices also actively monitor network traffic for unusual activity and potential threats and trigger alerts on those activities and threats.

A network sensor provides three core functions including generating security alerts, providing metadata, and enabling full packet capture to identify malicious activity. Though all three functions are important, the metadata component is key to fully understanding what’s happening on a network.

In a recent webinar, Erik Mogus, Director of Product Management at Pondurance, discussed the role of the network sensor and explained how metadata gives context to an event and provides alert enrichment for security operations center (SOC) analysts.

Context

The more data points that analysts have, the better decisions the analysts can make. And better decisions from the analysts can lead to the generation of better tickets. Erik believes that the litmus test on the criticality of an alert ticket is: “Do I wake somebody up at 3 in the morning to notify them of this?” To make the determination about whether to wake a client, it’s important to understand the context — the who, what, where, when, and how — of the data. 

At Pondurance, the SOC team can integrate network data across endpoint detection and response (EDR) solutions, logs, or clouds. An EDR alert is sent when an action is malicious but not blocked. The metadata — which describes what happened two minutes before the event, during the event, and two minutes after the event — provides the context to determine the event’s significance. Metadata is also collected for logs and clouds, with an alert sent for suspicious and malicious activity for host events. If there’s an alert on an EDR, log, or cloud, the team can pull the metadata into that specific case and efficiently leverage it to understand the significance of the event. 

Alert enrichment

The combination of an alert and metadata can create “enriched alerts” for clients. To illustrate the value of metadata, Erik used the example of a malicious domain detection, where a user clicks a phishing email with a known bad domain and an alert generates indicating that the user has clicked a malicious domain. However, a typical alert does not tell the SOC analyst whether something meaningful has occurred as a result of the user’s action. The analyst needs the combination of the alert and the metadata to reveal the bigger picture.

Erik explained that SOC analysts need to know the answers to several questions to better understand the relevance of a malicious domain detection event. Which domain name did the host attempt to resolve? Did the domain name resolve? Did the host successfully connect? How did the host behave after connecting? Why else might this event have occurred? Where is this event occurring across all clients? A typical alert can sometimes answer these questions, but when an enriched alert generates, the analyst can always find the answers. 

With metadata, the SOC team can track the full event from minutes before, during, and minutes after the event to determine if something bad happened and the significance of it. 

“If we see this event, and we see the domain did resolve, the host did connect to it, the host did download traffic from that IR (incident response), and it’s spraying the inside of your network, we’re pretty confident something very bad is happening,” said Erik. “Without that network metadata, it’s almost impossible to be able to put all of that together to determine what the criticality of that event is.”

Conclusion

Cybersecurity continues to evolve, and network sensors are increasingly valuable devices for detecting activity and threats on the network. Learn more about Pondurance’s network sensor and the criteria that Erik and SOC analysts use to determine what activity and threats warrant a middle-of-the-night wake-up call. Watch the video.