Attacks/Breaches
1/3/2014
08:42 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Network Baseline Information Key To Detecting Anomalies

Establishing 'normal' behaviors, traffics, and patterns across the network makes it easier to spot previously unknown bad behavior

While so much time in network security is spent discussing the discovery of anomalies that can indicate attack, one thing that sometimes gets forgotten in the mix is how fundamental it is to first understand what "normal" looks like. Establishing baseline data for normal traffic activity and standard configuration for network devices can go a long way toward helping security analysts spot potential problems, experts say.

"There are so many distinct activities in today's networks with a high amount of variance that it is extremely difficult to discover security issues without understanding what normal looks like," says Seth Goldhammer, director of product management for LogRhythm.

Wolfgang Kandek, CTO of Qualys, agrees, stating that when IT organizations establish baseline data, it makes it easier to track deviations from that baseline.

"For example, if one knows that the use of dynamic DNS services is at a low 0.5 percent of normal DNS traffic, an increase to 5 percent is an anomaly that should be investigated and might well lead to the detection of a malware infection," Kandek says.

[Are you using your human sensors? See Using The Human Perimeter To Detect Outside Attacks.]

But according to Goldhammer, simply understanding normal can be a challenge in its own right. Baselining activities can mean tracking many different attributes across multiple dimensions, he says, which means understanding normal host behavior, network behavior, user behavior, and application behavior, along with other internal information, such as the function and vulnerability state of the host. Additionally, external context -- such as reputation of IP -- plays a factor.

"For example, on any given host, that means understanding which processes and services are running, which users access the host, how often, [and] what files, databases, and/or applications do these users access," he says. "On the network [it means] which hosts communicate to which other hosts, what application traffic is generated, and how much traffic is generated."

It's a hard slog, and, unfortunately, the open nature of Internet traffic and diverging user behavior make it hard to come up with cookie-cutter baseline recommendations for any organization, experts say.

"Networks, in essence, serve the needs of their users. Users are unique individuals and express their different tastes, preferences, and work styles in the way they interact with the network," says Andrew Brandt, director of threat research for the advanced threat protection group for Blue Coat Systems. "The collection of metadata about those preferences can act like a fingerprint of that network. And each network fingerprint is going to be as unique as its users who generate the traffic."

Another added dimension to developing baseline is time. The time range for sampling data for establishment of a benchmark will often depend on what kind of abnormality the organization hopes to eventually discover.

"For example, if I am interested in detecting abnormal file access, I would want a longer benchmark period building a histogram of file accesses per user over the previous week to compare to current week, whereas if I want to monitor the number of authentication successes and failures to production systems, I may only need to benchmark the previous day compare to the current day," Goldhammer says.

While baselines can be useful for detecting deviations, TK Keanini, CTO of Lancope, warns that it may actually be useful to think in terms of pattern contrasts rather than "normal" and "abnormal."

"The term 'anomaly' is used a lot because people think of pattern A as normal and patterns not A as the anomaly, but I prefer just thinking about it as a contrast between patterns," Keanini says. "Especially as we develop advanced analytics for big data, the general function of 'data contrasts' deliver emergent insights."

This kind of analysis also makes it less easy to fall prey to adversaries who understand how baselines can be used to track deviations. Instead of a single, static baseline, advanced organizations will constantly track patterns and look for contrasts across time.

"The adversary will always try to understand the target norms because this allows them to evade detection," he says. "Think about how hard you make it for the adversary when you establish your own enterprise wide norms and change them on a regular basis."

However it is done, when a contrast of patterns does flag those tell-tale anomalies, Kandek recommends that immediate analytical response should be organized.

"To deal with network anomalies, IT departments can lean on a scaled-down version their incident response process," he says. "Have a team in place to investigate the anomalies, document the findings, and take the appropriate actions, including adapting the baselines or escalating to a full-blown incident response action plan."

Foremost in that immediate action is information-sharing, Brandt recommends.

"When you identify the appropriate parameters needed to classify traffic from the "unknown" to the "known bad" column, it's important to share that information, first internally to lock down your own network, and then more widely, so others might learn how they can detect anything similar on their own networks," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.