Threat intelligence may be the hottest topic in infosec, according to Matthew Wollenweber, a research director...
with the Gartner for Technical Professionals security and risk management group. But finding suspicious traffic doesn't always require expensive or complex tools. Using a combination of NetFlow, SiLK -- a free NetFlow toolkit -- and the Emerging Threats blocklist, Wollenweber walks readers through a process to determine if data is being sent back to a malicious host.
"Any traffic involving a blocklist is suspicious, but if you have a large network getting scanned, [it's] inevitable," he says. Wollenweber cites the complexity of managing most threat intelligence systems and making sense out of all the information that they present.
For enterprises that lack the semi-automation of a SIEM platform, SiLK and the Emerging Threats blocklist can present a "free and awesome" way to spot suspicious network traffic. Looking over the outputs, Wollenweber advises that if there is no sign of callbacks, then the traffic is likely to be non-malicious.
For companies evaluating the purchase of a threat intelligence feeds service, an exercise like this can help verify if they are ready to define a threat intelligence strategy, Wollenweber says.
Check out more of Wollenweber's thoughts on threat intelligence.
Datiphy dives deep into database monitoring
Drew Conry-Murray, IT strategist and co-host of the "Network Break" podcast, is no stranger to understanding the security risks faced by today's networks. Last week, on the PacketPushers blog, he fixed his attention on a new entrant into the network security space -- startup Datiphy Inc. Like other companies in its segment, Datiphy focuses on keeping networks safe through database monitoring. But its approach is different. By assuming that network breaches are inevitable, Datiphy's software aims to beat hackers to the punch by alerting network admins the moment something goes haywire.
To do that, Datiphy deploys an array of tools, including probes and agents, to track malicious activity. Conry-Murray writes that the software can send alerts if there is any suspicious activity around confidential information. To ensure operators aren't deluged with false alarms, Datiphy uses a baseline of normal activity as a foundation.
See what else Conry-Murray has to say about Datiphy.
Riverbed approaches networks with a new angle
Network consultant John Herbert shares some of his insights about Riverbed Technology and its SD-WAN strategy on MovingPackets. Riverbed, Herbert writes, is pursuing a different strategy than its competitors, which, for the most part, are focused on monitoring WAN links to determine which link best meets an application's specific needs.
Riverbed is exploiting what it knows best: WAN optimization. Instead of selecting which link to use, Riverbed is examining how to most effectively manage a hybrid WAN, and then determine how to best route data flows to fine-tune performance. Add in Riverbed's long expertise in WAN optimization through various compression and caching techniques, and Herbert claims that Riverbed offers enterprises a compelling story.
That said, Herbert also examines some of the security implications of Riverbed's SSL-centric transport strategy, citing the vendor's hardware security modules approach as a means to eliminate the need to have private SSL keys in physically insecure branch offices.
Get Herbert's opinion on Riverbed's new approach.
Enterprises weigh SSL security vulnerabilities and best practices
Network administrators implement new monitoring tools
Users and enterprises focus on SD-WAN potential