How Metadata Became a Security Superpower at Gigamon

Principal Information Security Engineer
Gigamon

Gigamon on Gigamon: Learn how we leverage the power of metadata to proactively, intelligently and efficiently defend our own networks.

Network data is growing in volume, speed and variety. It seems to be everywhere – in our data centers, remote offices, virtual machines (VMs), hosted in the cloud. Does this sound familiar? No wonder it’s getting harder and harder to stay on top of cybercrime.

Under today’s conditions, detecting good traffic from bad is not only costly, it’s become almost impossible to do. According to a recent survey by independent market research firm, Vanson Bourne, 72 percent of IT decision-makers haven’t scaled their network infrastructure to address growth in data volume, and more than two-thirds say that network blind spots are a major obstacle to data protection.

For most InfoSec teams, there’s simply too little time and too few resources available to efficiently correlate the information needed to make accurate predictions on potential security threats. As an InfoSec engineer myself, I can certainly relate.

But, what’s the answer?  In my experience, leveraging metadata can solve many of these problems.

Several years ago, here at Gigamon, we decided to augment our packet-based monitoring tools – which were overwhelmed with the volume of traffic – with metadata analysis using our own Gigamon Visibility Platform. Yes, we drink our own champagne! This allows us to triangulate on threats in a more intelligent, efficient way.

Making this transition has resulted in major benefits to our business:

  1. Reduction in false positives by filtering out “noise.”
  2. Faster time to threat detection through proactive, real-time traffic monitoring versus reactive forensics. We generate, monitor and analyze metadata traffic in real-time from literally anywhere on our network – north/south and east/west.
  3. Greater leverage of our small – but mighty! – security team.

The end result is a comprehensive security posture and more cost-effective protection against cyber threats that other organizations simply do not have.

How did we do it?

Well, we started by using our Gigamon Visibility Platform to generate metadata off the wire and then feed it to our Security Information and Event Management (SIEM) solution. Previously defined high-fidelity correlation searches in our SIEM help us to quickly identify patterns. Here are three real-world examples of searches we implemented:

1) Unusual patterns in HTTP response codes. 

Seeing numerous HTTP 404 errors, for example, helps us quickly identify infected machines that may be attempting to contact command and control hosts. It could also indicate a bad config of your web server or some other issue – crucial for the WebOps team – that is preventing online business from being transacted. 

2) Specific domain(s). 

During the Wannacry outbreak, we searched for and quickly found the KillSwitch domain – an indication that there was a potential breach. Disaster averted! Not a single machine was affected. 

3) SSL certificate issuer.

We recently generated alerts that identified users navigating to sites signed by the repudiated WoSign SSL certs. We were able to quickly identify users attempting to access these potentially spoofed sites, an otherwise extremely difficult and time-consuming process.

By now, hopefully it’s clear to you how powerful metadata can be. It really is “all killer, no filler.” If you’d like to learn more about how metadata became a security superpower for the InfoSec team at Gigamon, I invite you to register for my webinar: “All Killer, No Filler: How Metadata Became a Security Super Power at Gigamon.”

SHARE