The Time for Network Security Automation Is Now: Phantom for Faster, More Accurate Incident Response
Simon GibsonAutomation – it’s a big deal. To date, much investment has gone into automating manufacturing, banking, trading, shipping. But what’s yet to have been automated is network security. That is, until now. From now through 2018, we’ll start to see more and more automation of network security.
Networks Are Like Snowflakes
Understanding how a network works isn’t easy, and that’s because there is no standard. At one company, a network might work one way while at another, it’s completely different.
From company to company, capabilities for running a network – including resources and budgets – can differ greatly. Some companies have highly skilled, in-house employees while others outsource. Some spend a lot of money on their networks while others can’t or don’t care to spend as much.
Beyond capabilities, companies can also have different network requirements. For instance, healthcare companies must comply with Health Insurance Portability and Accountability Act (HIPAA) and Health Information Trust Alliance (HITRUST) Common Security Framework (CSF). Others might need to comply with Payment Card Industry Data Security Standard (PCI DSS) or with the National Institute of Standards and Technology (NIST).
Like a snowflake, every company network is different.
The Holy Grail of Information Security
So how do you implement a standard set of controls and build security automation when there is such incredible variation? With context. In the past, there hadn’t been the required body of knowledge to automate network defense at scale, but today, we know a few things that every company should do. We know that every company should threat model, patch, provision, audit and monitor their networks.
Regardless of what your network does or what controls you have in place, the key to successful automation is drawing context and establishing if a network event is good or bad. As I’ve written before, knowledge – of good versus bad intention – is the holy grail of information security. Is an event your analysts observe through a Security Information and Event Management (SIEM) system, next-generation firewall, Bro Platform or another tool a good thing or a bad thing?
Generally, companies need to know who on their network is executing what commands and whether that’s okay. Or at the very least, what commands shouldn’t be issued. For example, if a human resources (HR) manager is looking at an employee’s performance review, that’s probably normal. If a facilities manager is pulling down an engineer’s salary information, that’s probably not normal.
Phantom Helps Build Context Quickly
Building context is key – but it’s not easy.
In the past, when an event occurred, an analyst would have to investigate. As above, he would need to know what user from one department went to what site. Let’s take Yahoo.com as a simple example. Even if Yahoo.com itself is an allowable site, the analyst would still need to see what else might be on that web page. There could be 50 different embedded ads, images, websites – with any one of them capable of hosting malware and often, many of them not even hosted at Yahoo. The analyst’s concern is any visit to an ad server farm that infected a company machine and entails pulling together all the threads to determine the origin of this ad server, the user, the damage done. For instance, does this user have access to sensitive company data? Or is the infected machine one that’s running an operating system (OS) or browser that’s not vulnerable to the detected malware, thereby making the incident of lesser concern?
That’s one alert – and it could have 30 different variables to compile to decide what to do and how to prioritize. Remember, too, if a company has 150,000 computers and 20,000 get an infection – with each machine throwing 20 to 30 events per minute – that’s a huge amount of information to investigate and interpret just to build context.
Welcome, the Phantom Platform. Regardless of the tools you use, Phantom simplifies and hastens this process. It begins with the assumption that every environment is different – so not a one-size-fits-all approach – but that everyone needs to build context.
Phantom provides connecters to most popular network security tools. If you use these tools, it’s simple to install the platform, connect to your tools and write custom playbooks for your business. For example, some companies do not permit use of Cisco WebEx because it allows for remote resources to fully control a PC. However, another company may allow WebEx – but only when a ticket is open and approved and perhaps an approved ticket that permits access during certain hours. A custom playbook might take in an alert about WebEx use from Gigamon, connect to the company’s ticketing system and check for an approved ticket. If it finds one, it might then check to see what time the alert fired and either signal the analyst or simply connect to the company’s firewall and block the IP.
The Phantom Platform can also be used for managing custom threat intelligence. Let’s say a company has a list of domains with compromised Domain Name System (DNS) server zone files. The domain may resolve to its intended IP except when a bad guy is running a campaign. Blocking the domain outright might disrupt business. A Phantom playbook may be right to take the alert that an employee connected to the domain and check what IP it resolved to. If it geolocates to a particular region, it can take an action. In our demo, we chose the City of Ontario’s website, which is hosted on AWS. If the IP were to change to Canada, we would consider that an infraction and take action.
Any number of playbook configurations can be written to match any organization’s requirements. If there is a connector to your tools, it will work; or, if there isn’t a connector and you have the GigaSECURE® Security Delivery Platform, you’re in luck. Phantom can connect to and manage enforcement through GigaVUE-FM.
By providing a connector to a tool like the GigaSECURE Security Delivery Platform, Phantom lets you write the rules that are appropriate for your network and controls. When those conditions are met, it executes the commands against the GigaSECURE Security Delivery Platform. For example, if a site is suspected to contain malware, the solution will begin to capture packets if anyone hits that site. Another perfect use case is the recent directive by the Department of Homeland Security (DHS) to remove Kaspersky. Companies can set up rules such that if Kaspersky is found, Phantom can alert on and remove the software from their network – and the GigaSECURE Security Delivery Platform can prove that it’s gone.
To learn more, don’t miss our webinar “SOC Talk: Phantom Automation for Faster Response Time.”
