Packet Logging and File Carving
Being able to go back and look at the payloads or files transmitted on a network is extremely useful for several reasons:
- If you do not have the payload, you cannot really prove malicious intent, and legally you are on the hook.
- Payloads/Files are the ultimate forensic tool to decide if a particular incident is a false positive or a true positive.
- In more advanced systems payloads can also be used to find false negatives (things should have caused a security event but did not).
Obviously logging all data transferring on a network is challenging because disk space is limited and disks are relatively slow.
The MetaFlows Security System Logging Approach
Our overall approach to overcoming logging limitation is:
- We store Payloads/Files that are associated with a specific security alert (using the time and the source/destination addresses and ports for identification)
- When logging proactively (to also see Payloads/Files that do not involve a security alert), keep the disk at 90% utilization or below a certain number of Gigabytes by deleting the older logs.
This scheme gives you certainty of access if there is an incident and a time window to go back in time to look for certain things that might have been overlooked.
The Logging and File carving system has been vastly improved by the following:
- We now index the packets based on IP addresses using a proprietary approach. Instead of looking for particular packets in a big bucket full of files, the files are divided in smaller buckets each representing a subset of the addresses. This indexing scheme slows down packet logging a bit but makes looking for packets about 200 times faster!
- We added the ability to specify user-defined logging policies. Once a policy hits, the logging system prioritizes all packets for the matching policy and stores the Files/payloads in a separate high-priority repository which takes precedence over the normal logging. We will make a separate announcement on the policy specification because it is quite powerful and complex, and requires a dedicated post. For now, the only logging policy is to prioritize any packets involved in high priority events. In the future users will be able to customize more precise ad-hoc policies based on IP addresses, ports, and type of alerts.
The new carving system is backward compatible and automatically converts the existing packet logs stored on the sensor hard drive to the new indexing scheme. This process can take from a few minutes to days depending on your disk size. While this conversion takes place, queries on older logs may not return any data.
Many organizations are transitioning to IPv6 because it allows the address space to be managed more easily. One thing is for sure, hackers are on top of it; they are already serving Malware from IPv6-capable servers! It is therefore imperative that all the security software be IPv6 capable in order to avoid glaring security holes.
When it comes to IPv6 most people put the blinders on. Most security policies really just ignore it because it is not main-stream. But you can be sure that whatever is being ignored can be used against you. Ipv6 tunnels are proliferating and usually not monitored at all. They can easily be used to have a data exfiltration super-highway out your network.
The MetaFlows Security System can now work on both IPv4 and IPv6, without gaps in your security.
The attack on credit card numbers through Target has made many realize that network security, malware, and password protection needs to be taken more seriously. According to the article below, the two major factors in this data breach were 1. undetected malware that was able to scan credit card numbers in the real time, and 2. simple/default passwords that were never updated (especially not in accordance with PCI regulations). Both of these issues have seemingly easy fixes: For the Malware, get something that uses not just signature but behavioral detection and gives analysts real-time analysis (oh hey, what do you know, the MetaFlows Security System does all that, and more!). For the passwords it is a bit trickier. This requires staff training and individual memories the size of elephants in order to remember the hundreds of passwords we use nowadays. But with some staff education on the importance of keeping passwords up to code, and perhaps some mnemonic tricks, the world can be a safer place.
The researchers from the article below “…expect their findings to be beneficial to enterprises and other organizations in developing the next layer of defense.”
The next layer of defense is already here. The MetaFlows Security System uses behavioral analysis (along with the traditional signature detection) in order to catch even the stealthiest of Malware. It can even catch things that were in the network before it was deployed!
Read the TechNewsWorld article below to find out more about why, regardless of company size, having the most intelligent network protection is key. Then go to www.metaflows.com to find out how to get the most intelligent network protection.
Malware is not new and yet ever-evolving. Companies need to strengthen security practices and tools in order to stay ahead, or at the least, stay in the game! With attacks and costs sharing an rising trajectory, information security should be the top of every IT director’s list. Read about it from the perspective of a CSO:
Malware: War without End
Find out how the MetaFlows Security System is keeping steady in the war against Malware and defeating enemies with innovative and cost efficient technology!
The City of London underwent a massive cyber attack- on purpose! In a great feat of preemptive security hundreds of people, from hackers to holy grail financial institutions, participated in a collaborative attack to test various organizations and government institutions’ preparedness. More cities and organizations should be testing their mettle in such a way.
See how the MetaFlows Security System can put your network to the test. Find out what you are not seeing in our Free 14 Day Trial.
In a world where, increasingly, EVERYTHING is linked together by internet, bluetooth, and technology at large, security is at its utmost importance. However- and who is to say whether we choose ignorance as bliss or just are too trusting- many do not even realize how much of their private lives are basically on a buffet table at a party hosted by Internet.
An interesting look at the expansion and effects of “The Internet of Things.”
Insecurity and the Internet of Things Part 1: Data, Data Everywhere
Global Enterprise Solution
The MSS Global Enterprise (MSS GE) is a complete turn-key security system intended for large Enterprise or Government networks, and includes advanced Malware/Botnet detection, Intrusion Prevention, Log Management/SIEM, and integrated vulnerability assessment. The MSS GE controller can be deployed either as a high performance Appliance (starting at 1200 Events/Second) or as an Amazon EC2 instance (AMI). The MSS GE sensors can be easily provisioned on off-the-shelf hardware (up to 10 Gbps per sensor) running Linux CentOS/RedHat, high-performance Appliances, VMware or on Amazon EC2.
|Web Security Console|
- Real Time SIEM, Flow & Log management
- Multi-user Online Collaboration
- One-click Remediation
- Highly Customizable
|MSS GE Controller|
- Deploy as an Appliance or as an Amazon EC2 Instance
- Predictive Event Correlation quickly finds Malware
- Centralized Sensor Provisioning
|Daily Intelligence Feeds|
- Behavioral Malware Detection
- Zero-day/APT Intelligence
- Vulnerability Scanning
- Geo-location Intelligence
False Positives are the thorn in the backside of every IT security professional. The following article does a good job of breaking them down and explaining some of their greater risks.
The Impact of False Positives
False Positives are all but eliminated by the MetaFlows Security System. A fact that seems to good to be true, but is made totally possible by innovative technology!
No, UPS does not have a package waiting for you and that prince in Nairobi does not really want to give you $50,000, no matter how well thought out his plan is.
The article below details how, with just a bit of training, even your typical end-user can become more savvy and avoid those pesky phishing emails, thus saving your network from nonsense.
Reengineering Human Behavior Can Foil Phishing
Find out how the MetaFlows Security System, by utilizing Network Level AntiVirus and an Internal File Carver, can notify on and prevent pesky phishing scams.