Continuous Network intelligence with Deep Packet Inspection
If you are like me you don’t spend much time reading when it comes to things you can try out yourself, freely. The question you might have is: is it powerful?
The answer is yes. But it’s not like RSA NetWitness.
As you can see it has a statistical focus. You can chart the statistics of your egress traffic, and perform anomaly detection based on DPI. Then you define threshold, and IOCs, and log them to your SIEM to match them against Threat Feeds. The usual. Logrhythm Network Analyzer uses Syslog. So I can throw the logs to Sumo Logic or QRadar… or any other SIEM.
Ok, is it like Elastic Packetbeat?
No, Packetbeat, or the whole Elastic stack, is essentially a garbage bin for data. The entries do not get structured and remain as a large JSON dump. If you are lucky, you can craft a Elasticsearch query. But take a look at the “simple” string query. It’s not the Goog-feeling.
I know that many people recommend to SMB customers to use Packetbeat. It’s easy to install, even on Cloud instances, and you can perform simple things like DNS anormaly detection. But let’s be real. If that is all you want to do, you do not need an entire Elastic stack.
Is it the Forensicator Pro
I don’t really get why Logrhythm tags it as a forensic tool. If you do this kind of forensics with network data, you use log2timeline / plaso with an ELK stack.
Logrhythm Network Analyzer can dissect a PCAP. So I can throw my NIDS ringbuffer into it, in case I want to conduct an initial analysis to investigate a security incident. I use Cloudshark (hosed Wireshark web frontend appliance) for some years to avoid having to download massive amounts of PCAPs. Instead I filter them down remotely near to the NIDS sensors at the data center.
Network Analyzer would be the 1st step. It’s fast and I get initial insights and DPI analytics. If I need to go deep, I’d go for the PCAP and a full blown Wireshark. But that is manual.
In other words: ask Ovie for the Forensicator Pro.
Pretty pictures do not make a security tool
It is true that the Logrhythm Network Analyzer does not replace a NIDS. But let’s face the reality. Yahoo loses tons of user data, the Australian tax office… I have no doubt that they have NIDS systems. But I don’t think that they efficiently worked. Now this is easily said. My point is that a statistical perspective on ingress and egress traffic can enable security metrics and thus contribute to the processes.
There are detailed views within the Kibana interface:
That should provide some insights, for potentially malicious domains. It seems to be quite easy to write some rules. There are community DPA rules.
Compare it with Suricata 3 NSM logs with ET Pro
Suricata has added lots of network intelligence to the logging outputs. It goes a bit deeper, but ET Pro has many gaps. Test it well. I am not satisfied with the detection of XSS and SQLi attacks. This is something LR’s Network Analyzer doesn’t deliver in the first place.
Stamus as a product based on Suricata’s network intelligence logs.
Suricata and LR Network Analyzer have in common, that you can use Lua to write rules.
You can pipe PCAPs though Suri as well.
And you also get the network footprint into an ELK stack, commercially supported if you want.
There are very few packet-level rules in LR’s Network Analyzer. Even ET Open has more to offer here.
I don’t see that you can run the free Network Analyzer as a probe, headlessly and remotely. Suri can work like that. Or SELKs Community.
LR’s Network Analyzer is not OpenSource.
I have not seen that LR’s Network Analyzer has a full PCAP ringbuffer. Many Ciscos have a limited set of SPAN ports. Even the big F5s have limits. So how are you going to set it up? Virtual port mirros? TAPs?
Both, Suri and LR’s NA have no SSL offloading. Usually you feed appliances like that from a Load Balancer therefore. DLP solutions usually break open the SSL context via the internal PKI.
It’s not an IDS. But for many organizations a metrical network perspective with a focus on traffic anomalies can be useful. Nowadays attackers do not steal all data at once. They take their sweet time. Which essentially means you won’t see big egress spikes, when a DB server gets compromised. And we should not promise to customers that all they need in order to keep their data safe is a graph and a student to watch it 24/7. What they need is an asset inventory and a set of white-listed servers. These can be put into a DPA rule.
Logrhythm’s Network Analyzer is nice to have, but it’s not nice enough to be really useful. I’d need features to jump into the PCAP, and to get a Wireshark-like view. Sure, external appliances can provide this, and I am sure LR has something to offer…
The default rules do not hit attack patterns, and you need additional tools and processes to develop and perform detection. We should also not promise customers that an expensive SIEM with Threat Feeds will do that. But I think that’s not how the business works.