NOVETTA Cyber AnalyticsIntegration Note

Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • ontact@ novetta.comc

Integration options on Novetta Cyber Analytics web interface

IntroductionIn modern day networks no security solution should be designed as a standalone capability, incapable of communicating, coordinating, and sharing with other solutions. Security systems must integrate to share and receive information that will help all systems detect and block threats that mean to harm and steal from the organization. This holds true across firewalls, routers, web proxies, Security Information and Event Management (SIEM) systems, and other critical network infrastructure components. If a system is not exchanging information it is not fully protecting its network.

As an advanced network situational awareness solution, Novetta Cyber Analytics must exchange information with, and provide

access to, other systems. This includes not only the ingestion of contextual information and watch lists, but also direct programmatic access to analytical functionality and ground truth network traffic. To support these workflows, Novetta Cyber Analytics provides multiple capabilities that enable integration into existing network security and incident response activities. These capabilities include the following:

• SIEM & Firewall Console Integration for Rapid and Confident Alert Review• Network Traffic Export for Fast and Complete Forensics• Ingestion of Threat Intelligence for Enhanced Contextual Analysis

SIEM & Firewall Console Integration for Rapid and Confident Alert ReviewDuring network security investigations analysts frequently encounter situations where a review of raw packet capture is required to determine if an alert was accurate. This happens frequently with Security Information and Event Management (SIEM) systems and firewall consoles because they do not provide this level of detail. While reviewing high-level logs and summary reports analysts quickly reach a point of frustration due to lack of ground truth data. This makes sense, as SIEMs and firewall consoles were originally meant to provide visibility by providing log files and events from across an enterprise – they were never meant to provide access to network traffic. But there is a solution for this limitation.

Novetta Cyber Analytics integrates seamlessly with existing security solutions by providing a RESTful web API, a Python API, and a syslog message generation capability. The APIs give external systems direct and secure programmatic access to the Analytics back-end engine with very minimal integration effort -- an administrator simply adds a new menu item to launch an analytical search and analysts have direct access to Novetta Cyber Analytics from within their primary workstation interface. The syslog message generation capability enables the creationof syslog messages after the execution of an analytical search, which provides SIEM tools and other monitoring solutions with greater context around network events.

When an analyst is reviewing an alert and needs to inspect the related raw packet capture, the investigation process is very streamlined. The analyst right-clicks on the SIEM or firewall console menu to launch a Novetta Cyber Analytics query for the traffic associated with the alert, and the associated traffic is returned in seconds. The traffic provided to the analyst includes the detailed information such as IP addresses, domain names, WHOIS details, blacklist membership, and geography. The analyst can use the Novetta Cyber Analytics “View Payload Stream” feature to instantly preview the first 10KB of the associated payload data in the packet capture. Should the analyst find malware or other interesting data then the analyst can instantly retrieve the full packet capture as seen on the wire. This enables them to perform traffic replay, session reconstruc-tion, malware extraction, and other forensic activities.

By combining network traffic with log and event data, analysts now have access to all the information they needto detect and investigate advanced threats. Without access to ground truth network traffic analysts have limited capabilities for hunting down malware and attackers, especially as they move laterally across a network. With integration of Novetta Cyber Analytics into existing tools, analysts get a capability that can perform at speed and scale, gives them instant access to packet capture, and provides

Network Traffic Export for Fast and Complete ForensicsSecurity team investigations frequently require forensic analysis of traffic to retrace the steps of attackers, identify key activities, and reveal any other impacted internal hosts. Unfortunately for analysts, leading forensic analysis tools focus on creating a single chokepoint view of network traffic that does not provide broad or distributed historical analytics. This means that analysts are limited to what the chokepoint tool can capture and retain after performing deep inspection and content unraveling on all traffic.

Novetta Cyber Analytics has been inserted into these security team workflows upstream of existing forensic capabilities to address this visibility challenge. The solution provides analysts with a broader view of traffic than a forensics tool and adds valuable enrichment data to network traffic to provide context. This empowers analysts to explore and investigate large volumes of network traffic at the speed of thought, without being limited to the scope and analytical abilities of the focused forensics tool.

Once an analyst has determined the full extent of a threat using Novetta Cyber Analytics, they can quickly exportkey packet capture to a traffic analysis or forensics tool for deeper analysis and traffic replay. In this fashion, the deep-dive forensics tool is leveraged for its key capability after a subset of network traffic has been identified. This enhanced workflow serves to accelerate the operational tempo of analysts – they no longer are limited by chokepoint forensics tools that have been stretched beyond their intended functions. They can now quickly start at a console alert, attain situational awareness, identify threats, get visibility of raw packet capture, and perform deep dive analysis without having to wait hours for queries to return results.

Ingestion of Threat Intelligence for Enhanced Contextual AnalysisNearly all enterprise security teams maintain lists of, or even complete dossiers on, external attackers who are trying to breach their defenses. Threats found on these internal intelli-gence lists include hosts that have actively launched scanning or attack campaigns against the enterprise, command-and-con-trol botnet servers, known spam servers, known compromised hosts, known Tor entry and exit nodes, and members of public blacklists. Maintaining this list is good for awareness, but ideally it should be automatically pushed to and used by network security systems for threat detection and prevention.

Novetta Cyber Analytics imports third-party threat information and customer-specific threat lists to provide the maximum amount of context to security analysts reviewing traffic. These threat lists are commonly collections ofIP addresses and CIDR blocks that can be ingested and used by the analytics engine for searching and results presentation. Therefore Novetta Cyber Analytics accepts spreadsheets and tab-separated-value files for import into the system.

Once known attackers are imported, Novetta Cyber Analytics can use the lists in multiple ways:

• The system can continually scan network traffic for any activity from these sources. In this way the system serves as an early warning system that can alert analysts to suspicious traffic and enable them to immediately view the raw network traffic for the event• The system can use these lists as an input to analytics in search of specific behavior or traffic patterns• The system can automatically tag or label these IP addresses and domains to tell analysts that they are part of a known

threat list

Using these features as well as Novetta Cyber Analytics built-in tagging capabilities, which enables analysts to humanize sessions and IP addresses with departments, suspicions, and any other information (the true contextual power of Novetta Cyber Analytics), analysts have single pane access to the contextual information and ground truth network traffic needed

for both rapidly determining the full scope and pinpointing of a threat.ConclusionOrganizations that make use of all these Novetta Cyber Analytics integration features can connect a powerful network traffic analyt-ics and visibility platform to their existing security infrastructure and threat intelligence sources. This coordination empowers analysts to gain greater situational awareness and substantially

Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • ontact@ novetta.comc

SIEM & Firewall Console Integration for Rapid and Confident Alert ReviewDuring network security investigations analysts frequently encounter situations where a review of raw packet capture is required to determine if an alert was accurate. This happens frequently with Security Information and Event Management (SIEM) systems and firewall consoles because they do not provide this level of detail. While reviewing high-level logs and summary reports analysts quickly reach a point of frustration due to lack of ground truth data. This makes sense, as SIEMs and firewall consoles were originally meant to provide visibility by providing log files and events from across an enterprise – they were never meant to provide access to network traffic. But there is a solution for this limitation.

Novetta Cyber Analytics integrates seamlessly with existing security solutions by providing a RESTful web API, a Python API, and a syslog message generation capability. The APIs give external systems direct and secure programmatic access to the Analytics back-end engine with very minimal integration effort -- an administrator simply adds a new menu item to launch an analytical search and analysts have direct access to Novetta Cyber Analytics from within their primary workstation interface. The syslog message generation capability enables the creationof syslog messages after the execution of an analytical search, which provides SIEM tools and other monitoring solutions with greater context around network events.

When an analyst is reviewing an alert and needs to inspect the related raw packet capture, the investigation process is very streamlined. The analyst right-clicks on the SIEM or firewall console menu to launch a Novetta Cyber Analytics query for the traffic associated with the alert, and the associated traffic is returned in seconds. The traffic provided to the analyst includes the detailed information such as IP addresses, domain names, WHOIS details, blacklist membership, and geography. The analyst can use the Novetta Cyber Analytics “View Payload Stream” feature to instantly preview the first 10KB of the associated payload data in the packet capture. Should the analyst find malware or other interesting data then the analyst can instantly retrieve the full packet capture as seen on the wire. This enables them to perform traffic replay, session reconstruc-tion, malware extraction, and other forensic activities.

By combining network traffic with log and event data, analysts now have access to all the information they needto detect and investigate advanced threats. Without access to ground truth network traffic analysts have limited capabilities for hunting down malware and attackers, especially as they move laterally across a network. With integration of Novetta Cyber Analytics into existing tools, analysts get a capability that can perform at speed and scale, gives them instant access to packet capture, and provides

Network Traffic Export for Fast and Complete ForensicsSecurity team investigations frequently require forensic analysis of traffic to retrace the steps of attackers, identify key activities, and reveal any other impacted internal hosts. Unfortunately for analysts, leading forensic analysis tools focus on creating a single chokepoint view of network traffic that does not provide broad or distributed historical analytics. This means that analysts are limited to what the chokepoint tool can capture and retain after performing deep inspection and content unraveling on all traffic.

Novetta Cyber Analytics has been inserted into these security team workflows upstream of existing forensic capabilities to address this visibility challenge. The solution provides analysts with a broader view of traffic than a forensics tool and adds valuable enrichment data to network traffic to provide context. This empowers analysts to explore and investigate large volumes of network traffic at the speed of thought, without being limited to the scope and analytical abilities of the focused forensics tool.

Once an analyst has determined the full extent of a threat using Novetta Cyber Analytics, they can quickly exportkey packet capture to a traffic analysis or forensics tool for deeper analysis and traffic replay. In this fashion, the deep-dive forensics tool is leveraged for its key capability after a subset of network traffic has been identified. This enhanced workflow serves to accelerate the operational tempo of analysts – they no longer are limited by chokepoint forensics tools that have been stretched beyond their intended functions. They can now quickly start at a console alert, attain situational awareness, identify threats, get visibility of raw packet capture, and perform deep dive analysis without having to wait hours for queries to return results.

Ingestion of Threat Intelligence for Enhanced Contextual AnalysisNearly all enterprise security teams maintain lists of, or even complete dossiers on, external attackers who are trying to breach their defenses. Threats found on these internal intelli-gence lists include hosts that have actively launched scanning or attack campaigns against the enterprise, command-and-con-trol botnet servers, known spam servers, known compromised hosts, known Tor entry and exit nodes, and members of public blacklists. Maintaining this list is good for awareness, but ideally it should be automatically pushed to and used by network security systems for threat detection and prevention.

Novetta Cyber Analytics imports third-party threat information and customer-specific threat lists to provide the maximum amount of context to security analysts reviewing traffic. These threat lists are commonly collections ofIP addresses and CIDR blocks that can be ingested and used by the analytics engine for searching and results presentation. Therefore Novetta Cyber Analytics accepts spreadsheets and tab-separated-value files for import into the system.

Once known attackers are imported, Novetta Cyber Analytics can use the lists in multiple ways:

• The system can continually scan network traffic for any activity from these sources. In this way the system serves as an early warning system that can alert analysts to suspicious traffic and enable them to immediately view the raw network traffic for the event• The system can use these lists as an input to analytics in search of specific behavior or traffic patterns• The system can automatically tag or label these IP addresses and domains to tell analysts that they are part of a known

threat list

Using these features as well as Novetta Cyber Analytics built-in tagging capabilities, which enables analysts to humanize sessions and IP addresses with departments, suspicions, and any other information (the true contextual power of Novetta Cyber Analytics), analysts have single pane access to the contextual information and ground truth network traffic needed

for both rapidly determining the full scope and pinpointing of a threat.ConclusionOrganizations that make use of all these Novetta Cyber Analytics integration features can connect a powerful network traffic analyt-ics and visibility platform to their existing security infrastructure and threat intelligence sources. This coordination empowers analysts to gain greater situational awareness and substantially

Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • ontact@ novetta.comc

SIEM & Firewall Console Integration for Rapid and Confident Alert ReviewDuring network security investigations analysts frequently encounter situations where a review of raw packet capture is required to determine if an alert was accurate. This happens frequently with Security Information and Event Management (SIEM) systems and firewall consoles because they do not provide this level of detail. While reviewing high-level logs and summary reports analysts quickly reach a point of frustration due to lack of ground truth data. This makes sense, as SIEMs and firewall consoles were originally meant to provide visibility by providing log files and events from across an enterprise – they were never meant to provide access to network traffic. But there is a solution for this limitation.

Novetta Cyber Analytics providing situational awareness of C&C beaconing behavior with immediate export of the raw observed packet capture available to a forensics tool of choice

For more information:(844) NOVETTA (Toll Free) (844) 668-3882 cyber-info@novetta.com

Let us prove to youjust how effective this solution can be.

Novetta Cyber Analytics integrates seamlessly with existing security solutions by providing a RESTful web API, a Python API, and a syslog message generation capability. The APIs give external systems direct and secure programmatic access to the Analytics back-end engine with very minimal integration effort -- an administrator simply adds a new menu item to launch an analytical search and analysts have direct access to Novetta Cyber Analytics from within their primary workstation interface. The syslog message generation capability enables the creationof syslog messages after the execution of an analytical search, which provides SIEM tools and other monitoring solutions with greater context around network events.

When an analyst is reviewing an alert and needs to inspect the related raw packet capture, the investigation process is very streamlined. The analyst right-clicks on the SIEM or firewall console menu to launch a Novetta Cyber Analytics query for the traffic associated with the alert, and the associated traffic is returned in seconds. The traffic provided to the analyst includes the detailed information such as IP addresses, domain names, WHOIS details, blacklist membership, and geography. The analyst can use the Novetta Cyber Analytics “View Payload Stream” feature to instantly preview the first 10KB of the associated payload data in the packet capture. Should the analyst find malware or other interesting data then the analyst can instantly retrieve the full packet capture as seen on the wire. This enables them to perform traffic replay, session reconstruc-tion, malware extraction, and other forensic activities.

By combining network traffic with log and event data, analysts now have access to all the information they needto detect and investigate advanced threats. Without access to ground truth network traffic analysts have limited capabilities for hunting down malware and attackers, especially as they move laterally across a network. With integration of Novetta Cyber Analytics into existing tools, analysts get a capability that can perform at speed and scale, gives them instant access to packet capture, and provides

Network Traffic Export for Fast and Complete ForensicsSecurity team investigations frequently require forensic analysis of traffic to retrace the steps of attackers, identify key activities, and reveal any other impacted internal hosts. Unfortunately for analysts, leading forensic analysis tools focus on creating a single chokepoint view of network traffic that does not provide broad or distributed historical analytics. This means that analysts are limited to what the chokepoint tool can capture and retain after performing deep inspection and content unraveling on all traffic.

Novetta Cyber Analytics has been inserted into these security team workflows upstream of existing forensic capabilities to address this visibility challenge. The solution provides analysts with a broader view of traffic than a forensics tool and adds valuable enrichment data to network traffic to provide context. This empowers analysts to explore and investigate large volumes of network traffic at the speed of thought, without being limited to the scope and analytical abilities of the focused forensics tool.

Once an analyst has determined the full extent of a threat using Novetta Cyber Analytics, they can quickly exportkey packet capture to a traffic analysis or forensics tool for deeper analysis and traffic replay. In this fashion, the deep-dive forensics tool is leveraged for its key capability after a subset of network traffic has been identified. This enhanced workflow serves to accelerate the operational tempo of analysts – they no longer are limited by chokepoint forensics tools that have been stretched beyond their intended functions. They can now quickly start at a console alert, attain situational awareness, identify threats, get visibility of raw packet capture, and perform deep dive analysis without having to wait hours for queries to return results.

Ingestion of Threat Intelligence for Enhanced Contextual AnalysisNearly all enterprise security teams maintain lists of, or even complete dossiers on, external attackers who are trying to breach their defenses. Threats found on these internal intelli-gence lists include hosts that have actively launched scanning or attack campaigns against the enterprise, command-and-con-trol botnet servers, known spam servers, known compromised hosts, known Tor entry and exit nodes, and members of public blacklists. Maintaining this list is good for awareness, but ideally it should be automatically pushed to and used by network security systems for threat detection and prevention.

Novetta Cyber Analytics imports third-party threat information and customer-specific threat lists to provide the maximum amount of context to security analysts reviewing traffic. These threat lists are commonly collections ofIP addresses and CIDR blocks that can be ingested and used by the analytics engine for searching and results presentation. Therefore Novetta Cyber Analytics accepts spreadsheets and tab-separated-value files for import into the system.

Once known attackers are imported, Novetta Cyber Analytics can use the lists in multiple ways:

• The system can continually scan network traffic for any activity from these sources. In this way the system serves as an early warning system that can alert analysts to suspicious traffic and enable them to immediately view the raw network traffic for the event• The system can use these lists as an input to analytics in search of specific behavior or traffic patterns• The system can automatically tag or label these IP addresses and domains to tell analysts that they are part of a known

threat list

Using these features as well as Novetta Cyber Analytics built-in tagging capabilities, which enables analysts to humanize sessions and IP addresses with departments, suspicions, and any other information (the true contextual power of Novetta Cyber Analytics), analysts have single pane access to the contextual information and ground truth network traffic needed

for both rapidly determining the full scope and pinpointing of a threat.ConclusionOrganizations that make use of all these Novetta Cyber Analytics integration features can connect a powerful network traffic analyt-ics and visibility platform to their existing security infrastructure and threat intelligence sources. This coordination empowers analysts to gain greater situational awareness and substantially