From the Core to the Cloud, See it All

Simplify, secure and scale your hybrid cloud infrastructure to accelerate digital innovation.

LEARN MORE

CLOUD VISIBILITY

GET A DEMO

DATACENTER VISIBILITY

GET A DEMO

NETWORK SECURITY

GET A DEMO

INDUSTRY

A Thriving Partner Ecosystem

Gigamon reseller and integration partners design, implement and optimize best-of-breed and validated joint solutions.

FIND A PARTNER

NOT A PARTNER?

ALREADY A PARTNER?

Proven Support and Services

Our global support team is committed to creating experiences of unmatched quality, scalability and efficiency.

MY GIGAMON

OVERVIEW

GET SUPPORT

COMMUNITY

Customer Success

Our global customers are empowered to transform their businesses and innovate with the power of complete network visibility and analytics.

CUSTOMERS

ANU

Australian National University

Fosters a safer campus community with Gigamon.

cegedim

Cegedim.cloud

Improves cloud infrastructure and visibility.

 

department of defense

Department of Defense

Confidently feeds different tool sets in the physical and the virtual world.

Resource Library

Your one-stop hub to explore content resources to stay current on the latest in network visibility and analytics.

RESOURCES

Network Tool Efficiency Evaluation

Efficient Tools Are Happy Tools

Answer a few questions and get real-time insights.

def-guide

Achieve Hybrid Cloud Observability

Strengthen visibility and security.

ebook

Deep Observability eBook

Supercharge your tools with real-time, actionable, packet-level intelligence.

WHY GIGAMON

We are the first company to deliver a unified visibility and analytics architecture across your hybrid infrastructure to simplify, secure and scale IT operations.

LEARN MORE

IN THE NEWS

COMPANY INFORMATION

Deep Observability

Supercharge Your Security and Observability Tools

Without deep observability, you're exposed.

Great Place to work

Join the Team

Become a part of the OneGigamon team. Search for your next opportunity.

SHARE
Security / September 27, 2018

Intelligent Detections — The Kobayashi Maru of Security

Dan Caselden  Jason Rebholz Jason Rebholz  

While alert fatigue may sound like a trendy catchphrase, it is a real issue that security analysts face every day. The ever-increasing number of security alerts from a growing number of devices often results in more noise than useful detections.

The unfortunate truth is that many of these alerts are not real security issues nor do they necessarily align with the organization’s strategy to reduce risk. Furthermore, the sheer volume of this noise is costly, leading to complacency, lost productivity and ultimately increased vulnerability to attacks. This puts the organization’s security team in a Kobayashi Maru no-win situation. Course correcting out of this situation, or avoiding it altogether, requires a new approach with a focus on data quality fundamentals and more intelligent detections.

At Gigamon, we believe that effective detection capabilities incorporate the following core components:

  • High-quality data collection — get the right data to enable detections
  • Context-enriched data sets — enhance data to allow for more intelligent detections

This blog post explores our philosophy on two of the foundational components that enable more intelligent detections and ultimately alleviate alert fatigue.

High-Quality Data Collection

Visibility matters when it comes to detections. In a prior blog post, we talked through how maximizing visibility into your environment is the first step to securing it. This is especially true in detecting malicious activity, as analysts can only detect activity they can see.

Unfortunately, many organizations discover they are missing critically important data while in the midst of a security incident. This missing data often includes comprehensive network visibility but also extends to infrastructure logs and limited endpoint coverage. In other cases, even when these data sources are collected, the right level of detail needed to support an investigation is missing.

This complexity of data collection and engineering within the enterprise only increases at scale. For example, consider ingesting events from several data sources distributed across a worldwide enterprise where timestamp format varies across devices, log types and time zones. Normalizing these timestamps is essential, not only for analysts supporting their triage and investigation workflows, but also for an automated detection capability where temporal analysis and correlation are critical.

The secret to succeeding at the detection game starts with high-quality data collection, which builds the foundation for a scalable and robust detection capability that ultimately reduces alert fatigue.

Context-Enriched Data Sets

So, you have the proper visibility and you’re looking to expand into the next phase of protecting your environment — enter context-enriched data. This can be divided into two parts:

  • Event enrichment
  • Curated intelligence

Event enrichment takes the existing data sets and adds applicable context to provide supplementary information that is useful for both detections and investigations. The current status quo finds analysts having to manually pull in additional information from other security tools, services or systems.

At Gigamon, we believe in putting useful contextual details in the analyst’s hands from the beginning, empowering them to move quickly, understand the situation and take action. These additional contextual details can range from static properties, such as Autonomous System Number (ASN) and geo-location, to dynamic features like reputation and prevalence. This provides defenders with the ability to write custom detections based on unique combinations of indicators and metadata.

Curated intelligence matching provides the second aspect to context-enriched data. Gigamon further enriches streaming network data with network intelligence that goes beyond malicious atomic indicators such as known bad IP addresses or domains. This curated intelligence provides analysts additional context on suspicious entities, such as disreputable Virtual Private Servers (VPS), Tor nodes and sinkholes. This is where analysts can start to model how an attacker would operate in an environment to develop refined detections or start a threat hunting program.

When event enrichment is combined with curated intelligence, it opens up new detection opportunities. For example, attackers often download malicious files that are hosted on a disreputable VPS. Leveraging enriched network data, we could search for, or create an automated detection for file downloads that originate from this VPS. The enriched IP address metadata coupled with a basic understanding of attacker methodologies empowers organizations by expanding their detection capabilities.

Final Thoughts

Alert fatigue is real and painful. It causes wasted cycles for organizations and can increase the risk to the business through missed alerts or insufficient incident triage.

The right level of visibility with context-enriched data sets grants defenders an edge by allowing them to efficiently identify and quickly respond to threats. This reduces business risk, saves time and cost through streamlining analysis, and, most importantly, provides analysts the tools they need to successfully rewrite the Kobayashi Maru situation and succeed.

RELATED CONTENT

REPORT
2022 Ransomware Defense Report
GET YOUR COPY  Go
WEBINAR
Unlock Ultimate Hybrid Cloud Security: Join Nutanix for Insights
WATCH ON DEMAND  Go
REPORT
2022 TLS Trends Data
DOWNLOAD REPORT  Go
WEBPAGE
Suddenly, Ransomware Has Nowhere to Hide
TAKE A LOOK  Go
COMPANY
GET HELP
PRODUCTS & SOLUTIONS
POPULAR LINKS
  • ©Gigamon 2022
Back to top