Last week, I attended the 13th annual FloCon 2017 in San Diego, CA, an event focused on large-scale network analytics. This year’s theme was ‘Flow and Beyond’ and presentations focused on enhancing incident detection and network situational awareness.
On this note, my colleague Dr Jamison Day and I focused our talk on Assessing Targeted Attacks In Incident Response Threat Correlation. LookingGlass sees security automation of flow collection and correlation with Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far... as a key to maximizing the effectiveness of security analysis and operations teams.
Over three full days at the event, FloCon17 provided an agenda packed with great presentations from security and networking industry practitioners and experts, as well as research institutions. We were encouraged to share, collaborate on ideas, and help broaden the community awareness on the value of flow collection, correlation, and use in security analytics.
My key take-aways from FloCon17:
The Relevance of Flow Collection to Security is Strong and Increasing
- The use of network flow, and more broadly network telemetry, is vital to the security industry.
- Collecting flow only at the perimeter will limit network defense opportunities and, hence, organizations should consider flow collection for both north-south and east-west traffic profiles.
Deeper Context Flow Collection is a Must
- To fully realize the benefits of flow having more detailed context from the flow capture than the traditional 5-tuple (src-ip, dest-ip, src-port, dest-port, app-id) helps with both correlation and identification of security issues.
- Consider implementing IPFIX and as many of the defined flow attributes as possible.
Flow Collection and Correlation Alone is Insufficient
- Correlation of flow must include information about other telemetry and intelligence available such as global threat intelligence, organizational awareness of systems, vulnerabilities, etc.
- With the greater context of correlation across data sets, organizations can determine relevance of specific flow behaviors and therefore potentially identify threats relevant to their organizations.
Security Automation is Key
- The ability to both collect, correlate, identify, and act on security threats must be automated.
- Threats often require both immediate detection and mitigation.
- Humans in the loop should be focused on tuning and setting prioritization of the automation on organizational assets.
Machine Learning and Advanced Correlation Techniques are a Must
- Human correlation of flow to identify threats will clearly never scale within larger organizations with thousands of assets or more.
- Advances in machine learning techniques applied to flow correlation are key to enhancing the security personnel protecting our networks.
- Machine learning can identify behaviors and patterns that humans do not but without tuning and feedback loops, the machine-learning may not yield the desired results.
Flow telemetry data can help achieve greater security situational awareness, but needs to be used with other sources of intelligence and correlation techniques to maximize the value to the organization. By doing this, you can focus correlation and analysis for your organizational needs, resulting in more relevant and actionable security mitigation actions.
Thanks to organizers, fellow presenters and the conference attendees at FloCon17 for an educational and inspiring conference.