Cybersecurity Solutions

Casting a Wider Net – Enhanced Web Filtering Support in the Respond Analyst

Mike Reynolds
by Mike Reynolds
category Cybersecurity Solutions

Did you know that 57% of malware is undetected by Endpoint Protection Platforms (EPP)?* This occurs for a couple of reasons including: 

  • Zero day attacks will be missed by signature-based approaches that evaluate known bad files (EPP can’t catch what it doesn’t already know about)  
  • Fileless malware is becoming more common, which is challenging for EPP to detect (EPP typically matches on files) 

To mitigate these risks, organizations deploy and monitor additional security controls such as IDS/IPS and web filtering (think defense in-depth). While monitoring IDS/IPS alerts offers broad, powerful coverage, there are specific challenges that security teams need to be aware of. For instance, network IDS/IPS:

  • Deployments are commonly misconfigured or simply not updated
  • Network sensors are also extremely tuned down to enable human monitoring, and thus reduce the effectiveness of detection
  • Will miss zero day attacks because they use a signature-based approach (similar to the risks of EPP mentioned in the bullets above) 
  • Are not effective when encryption is in place (commonly HTTPS web communications) because the signatures evaluate and trigger on the unencrypted payloads of network packets 

By monitoring web filtering logs, security teams can expose assets infected with malware undetected by other security controls. By evaluating patterns of suspicious communication within web filtering logs, teams can identify malware that is ‘file-less’, communicating over encrypted channels (HTTPS), or previously unknown (aka a zero day) -- all without the reliance on attack signatures or heuristics.

However, until now, security teams were not able to identify these threats in real-time because the event volume generated by web filtering solutions was prohibitively too large for monitoring.   

In the latest release of the Respond Analyst, Respond Software is announcing support for many of the top web filtering solutions including Palo Alto Networks, Symantec, McAfee, Cisco, Forcepoint, Carbon Black and ZScaler.  Monitoring this data will enable the Respond Analyst to cast a wider net to identify compromised assets communicating with command and control servers as well as data exfiltration attempts. By identifying these communications, the Respond Analyst helps organizations significantly reduce attack dwell time.  

To illustrate the point, in a real customer environment monitored by the Respond Analyst, the solution was able to detect and escalate an incident involving multiple malicious domains and internal systems. 

The initial breach involved a single host that was sending beaconing traffic to a known malicious domain. The Respond Analyst also checked the age of the domain and used this information as part of its decision-making process. In this case, the domains were only registered two months ago, making it unlikely that a corporate user would navigate there. Monitoring the data ingested from the web filter, the Respond Analyst created a ‘Severity 4’ incident for the customer to investigate. At the time, the web filtering system blocked the beaconing attempts and because the customer had other priorities, the incident remained open. However, more hosts soon exhibited the same behavior, so these events were scoped into the original incident and it was escalated to ‘Severity 3’ status by the Respond Analyst. Additionally, the Respond Analyst knew that the web filtering vendor had identified the domains as malicious outbound botnets, but this behavior alone is not enough to warrant an escalation. However, as the traffic persisted, and as the Respond Analyst continued to monitor the activity over time, the probability that this was a malicious activity driven by software and not a human clicking a mouse increased significantly.  

Because the Respond Analyst was able to cast a wider net to detect these beaconing attempts in real-time, the security team remediated the issue by stopping the traffic going to the malicious domains reducing dwell time of the attack.

If you are interested in casting a wider net and pulling more value from the logs generated from your web filtering system, the Respond Analyst is the solution for you. For more information on the Respond Analyst’s support for web filtering systems please see:

*Source:  2018 State of Endpoint Security Risk , Ponemon Institute October, 2018