As a security analyst at the beginning of an investigation, how do you know which pieces of information are going to be most relevant in determining an appropriate and confident response?
Experienced analysts develop best practices and strong instincts for investigating threats, but even so, the volume and nature of data available to security analysts exerts a huge influence on their ability to investigate and resolve security incidents. Too much information, in the form of endless alerts rife with false positives, makes it more difficult to prioritize which potential threats to investigate. Too little info, or too little context around any given alert, forces analysts to manually dig for the information they need to make a confident decision. That can mean hours of work consulting a SIEM, CMDB, IDS/IPS provider, firewall logs, and packet capture solution before even knowing whether or not the alert was worth investigating at all.
One high-order goal of ExtraHop Reveal(x) Network Traffic Analysis is to bring together the information that security analysts need, correlated and available when they need it to make a confident decision about how to respond to a potential threat.
To that end, we've identified several of the 4,600+ metrics we provide that are very likely to be relevant to high-priority security investigations. We're surfacing these on the Security Overview page of Reveal(x) -- essentially the homepage of the product, so they're available at a glance when you start up the product. We're calling this feature "Signal Metrics."
What is a Signal Metric?
In Reveal(x), signal metrics tell you about general trends in network behavior that are likely to be relevant to your security hygiene and posture. Signal metrics compare stats from an individual network protocol between the current time window with the previous window of the same length. For example, one signal metric can tell you at a glance if your HTTP 500 errors have increased by 175% this half hour (or whatever time window you choose), compared to the half hour before.
This could indicate that a scanner is being used to conduct reconnaissance against the network, or simply that a web server is failing a lot. Signal metrics are presented at the bottom of the Security Overview page, in order of largest difference in behavior between the current time window and the preceding one. In context with the other information available at a glance on the security overview page, this can help analysts decide on the most prudent response. Other signal metrics may warn you of DNS behavior that indicates a DDOS attack in progress, or of an increase in usage of insecure cipher suites on your network.
Signal metrics are just one of many ways we're working to provide the right information at the right time so that security analysts can make confident decisions quickly.
To try out Reveal(x) for yourself and see signal metrics in action, visit our live, interactive online demo.
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2018/extrahop-signal-metrics-accelerate-security-investigation/