When thinking about many of the worst data breaches we’ve seen so far, there was one common element: The attacks were not detected while they were active on the internal networks.
It’s easy to think of the internal network as what’s onsite and directly in control. However, an organizations internal network also includes what extends beyond what’s on-premises, like instances within the public cloud and off-site hosted data centers.
Why is this important? Network perimeter defenses provide monitoring, and thus protection, for only a portion, perhaps 20%, of the attack surface. Once a threat successfully get insides the network it will spread laterally within the network, and go undetected. If you are only looking at this North-South traffic, you are leaving yourself vulnerable to the data breaches discussed above. Improved visibility of the internal, East-West, network traffic provides information necessary to detect threats earlier in the kill chain, as they are propagating.
ARIA Cybersecurity Solutions has developed an integration with Sumo Logic’s Continuous Intelligence Platform to close this network-visibility gap. With this integration, the ARIA SDS Packet Intelligence application feeds NetFlow metadata from every network packet to the Continuous Intelligence platform, including those east-west paths that are typically overlooked.
Once this data is available in the Continuous Intelligence platform, security professionals can quickly create queries to generate more accurate, comprehensive, and actionable dashboards. This real-time information enables them to conduct incident investigations related to ransomware, malware, intrusions including advanced persistent threats (APT), data exfiltration attempts, and other potential threats—all so they can take action and stop threats before significant harm is done.
Using the ARIA SDS Packet Intelligence Application within a Sumo Logic environment empowers end users to:
- Identify hard-to-detect attacks in real time early in the kill chain.
- Allow security analysts to accelerate investigative response to verify threats through automated workflows.
- Give security analysts the ability to stop the attacks at the threat conversation level. These teams can leave critical production or IoT devices online by blocking the threat conversations until the issue can be resolved.
- Visualize all internal network traffic, including those between devices, virtual machines, containers and IoT so proper connectivity policies can be developed, monitored, and enforced.
Sumo Logic collects ARIA Packet Intelligence netflow information in log or metrics form.
Once you have configured your collectors, the Sumo Logic apps can be installed. Navigate to the Apps Catalog in your Sumo Logic instance and add the “ARIA Packet Intelligence” app to your library after providing references to sources configured in the previous step.
For details on the app installation and configuration, please refer to the documentation for ARIA Packet Intelligence and Sumo Logic help.
Using ARIA SDS Packet Intelligence
Once installed and configured, the application users can leverage the ARIA SDS Packet Intelligence dashboards to visualize network traffic, as well as the entire threat landscape. Let's take a closer look at these.
Queries and dashboards
The ARIA SDS solution provides SOC teams the ability to stop the threats as detected, minimizing harm. To get started the ARIA Cybersecurity team has created a set of example queries and dashboards to detect cyber threats and attacks, as well as visualize all internal network traffic communications.
Network Traffic Visibility Dashboard
The ARIA Packet Intelligence application creates unsampled NetFlow or IPFIX metadata for every network packet. It is through this enriched data that this dashboard can be used to visualize, profile, and trend all internal network traffic. These visualizations can be used to drill down and highlight possible network segmentation gaps.
Threat Summary Dashboard
The ARIA SDS Packet Intelligence solutions provides an at-a-glance view that provides meaningful insights into network security. This gives users the ability to view threats and policy violations that are being detected by type, while also allowing you to investigate communication details in order to better monitor your security posture.
Getting started is easy
The ARIA SDS solution is the perfect complement to Sumo Logic as the improved network visibility naturally leads to better threat search queries to identify and stop the cyberattacks.
This new integration between the Sumo Logic Continuous Intelligence platform and the ARIA SDS Packet Intelligence application will now find and stop the types of cyber-attacks that do the most harm. It reduces both the time to investigate security threats and the effort to stop them when used in conjunction with the Continuous Intelligence Platform’s SOAR apps.
To get started, check out the ARIA SDS Packet Intelligence App.
If you don’t yet have a Sumo Logic account, you can sign up for a free trial today.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.