Observable Networks: How Packet Metadata Reveals Suspicious Behavior

Modern enterprise networks often employ best practices for monitoring and intrusion detection to provide enhanced network security, but this may not be enough to deal with the continually evolving threat landscape. Startup Observable Networks offers an approach that it calls Dynamic Endpoint Modeling to tackle advanced security threats. In my view, this adds an important “arrow” to the network security “quiver.”

Ongoing vulnerabilities in enterprise networks

Modern network security employs many important layers of defense, but as we have seen time and time again, these have proven inadequate in and of themselves. One category of vulnerability is user behavior. Users — and we should include administrators among them — can permit unauthorized activity, either intentionally or accidentally. Yes, some controls are in place, but these are likely to be imperfect.

Another category of vulnerability is products, since software and hardware bugs can result in exploitable vulnerabilities. A third category is protocols. For example, IP contains no provision for authenticating machine addresses. That means that packets of information may or may not be coming from an authorized IP address. In addition, an unauthorized machine may convince others that it owns an outbound gateway IP address and thereby be capable of observing all inbound and outbound traffic. This is a classic enabler of a “man-in-the- middle” attack.

In addition to these classes of vulnerabilities, an organization may enable behaviors that result in vulnerabilities, such as poor password security and website access policies, weak policy enforcement, and the inability to monitor all portions of the network.

And, of course, attackers are becoming more sophisticated all the time.  For example, memory-resident malware can observe and exfiltrate user and machine behavior over long periods of time. Zero-day attacks are attracting more attention. Corrupted insiders can wreak havoc. All these are examples of information asymmetry where someone understands an exploitable vulnerability in a network that is not recognized by network administration.

Current measures of defense often rely on perimeter defenses — such as firewalls, threat signature detection — such as for malware, and network monitoring by using log files and event information are all important. However, the increasing use of encryption makes deep packet inspection impossible (as the content of encrypted packets cannot be examined) and detecting problems more difficult. Further, the explosion in the number of endpoint devices — think of the number of mobile devices now connected to the corporate network — rapidly expands the risk landscape.

Dynamic endpoint modeling

Observable Networks’ Dynamic Endpoint Modeling takes a fresh approach to these problems. Endpoints are not only the traditional servers and mobile devices, but also anything connected to a network, such as a printer and all those new sensors that are associated with the Internet of Things. With its endpoint modeling technologies, Observable Networks puts a software sensor on each managed device. The sensor does not examine network packets themselves, but does collect the IP metadata that is associated with each packet and sends it on to Observable Networks’ cloud platform, i.e., security-as-a-service in the cloud. This means that the enterprise does not have to worry about deploying its own server-storage hardware, as well as all the hassles of managing yet one more security platform. Observable Networks deploys its analytical tools there.

Observable Networks describes its algorithms as “modeling and anomaly–detection techniques based on statistical, state-based, rule-based and learning theories that rapidly identify aberrant events, whether known to be normal, new, or potentially malicious”. Its automated security analytics quickly compares observed endpoint behaviors to its catalog of device profiles and dynamically learned behaviors.

Please note that while metadata is captured real-time and sent to the cloud for analysis, response to threats may not always be real-time. Life is not that simple; threats are not always obvious immediately as they can be multi-staged and the analytics needed to examine multiple behaviors that occur not at an instant, but over time. Early-stage detection can lead to the prevention of problems but that does not mean that all problems can be detected before some damage occurs, such as the exfiltration of data.

However, getting the earliest possible detection is critical in preventing further damage, minimizing existing damage, and facilitating faster corrective action. That is critical, for example, in attacks on personally identifiable information. And Observable Networks’ approach is much more effective than finding out the problem well after the data horse has left the barn and the trail is cold.

Observable Networks makes another claim as well:  It doesn’t overload the security department with false alarms. That can be very important, as organizations can be desensitized to alerts if there are too many false alarms, leading to too many real alarms being easily ignored.

One claim that Observable Networks makes is to its cost-effectiveness, as it offers a multi-tenant cloud. That is important because only larger enterprises can afford some of the more sophisticated security technology, such as logging, whereas even smaller organizations can take advantage of Observable Networks’ approach. Moreover, Observable Networks can integrate with existing technologies, such as the collection of log files for analysis, to take advantage of what each technology offers to create an even more robust solution.

Mesabi Musings

Despite all their layers of security, enterprise networks are still vulnerable for many reasons, including user behavior, product bugs and protocol shortcomings. Moreover, in an era where privacy is a major consideration, more and more IP packets are encrypted. Unfortunately, privacy also extends to packets that are threats, and deep packet inspection is no longer possible. Still these packets must have observable metadata, and that data can be analyzed to determine improper behavior. Observable Networks does just that, collecting real-time metadata packet-level information from each network endpoint and passing it on to its cloud where the metadata is examined for suspicious behavior.

Corrective action can then be taken, if necessary. All in all, Observable Networks’ Dynamic Endpoint Modeling qualifies as a valuable addition to the security portfolio of enterprises large and small.