When it comes to network security, the old adage that a good offense is the best defense should be reframed as good analysis is the best defense. Attackers are continually adapting to the security controls enterprises put in place. In spite of all the technical controls an organization may deploy, humans are the perpetual weak link in security defenses. It takes just one rushed executive skimming email and clicking on a spear phishing lure to give an attacker a way into a company's systems. If we start with the assumption that our systems will be attacked -- and they will be compromised at some point -- then it logically follows that we need a means to detect such attacks and contain them as quickly as possible.
Pravail Security Analytics from Arbor Networks is designed for the way attackers function. Deployed as an appliance or a cloud service, the monitoring and security analytics platform employs full packet capture to detect various signals of an attack. For example, an attacker may use a phishing attack to trick a user into downloading a remote control program, which is then used to gather data on an organization's network and devices. The initial attack and the subsequent information collection stage leave different traces in the history of network traffic.
Full packet capture enables the analytics programs to detect and correlate these distinct patterns. This yields large volumes of data that lead to insight only with proper analysis, reporting and visualization tools.
Integrated view of events
The Pravail Security Analytics platform, for example, creates a timeline of events so analysts can correlate multiple steps in a single attack. Analysts can also use timelines to recreate the sequence of events in an attack to help understand how the attack unfolded. Visualization is a must-have feature when dealing with large volumes of data that lends itself to analysis from different perspectives. Analysts may want to view some data based on target or location at some times, and in other cases they may need to view data on multiple attacks from the attacker or attack type dimension.
Another benefit of full packet capture is the ability to analyze historical data for signs of an earlier attack. Major security vendors continually collect global intelligence about the state of cyberthreats; the Pravail Security Analytics product leverages threat intelligence data from Arbor Network's Active Threat Level Analysis System. Information about a new mode of attack may come to light only after it has been in use for some time. The product uses processes to analyze previously collected data and search for new attack patterns.
Pravail Security Analytics uses a collector and controller approach. Enterprises can deploy multiple collectors to multiple locations to ensure high speed collection of data and scale up storage to meet network demands. Collectors perform real-time analysis on data streams to search for known attack signatures. Controller appliances centralize management of collectors and analysis of data provided by collectors. The controller also supports the user interface to the application, and allows for querying of metadata and storage of deep packet analysis results. Pravail Security Analytics can be deployed three different ways: as a combination of controller and collector appliances for on-premises environments, as a cloud service (Pravail Security Analytics in the Cloud), or with an on-premises collector and a cloud-based controller.
Pricing and support
Pravail Security Analytics is available for a free demo or 30-day trial; more information on enterprise pricing can be obtained by contacting the company. Support services include access to professional services that can provide dedicated support engineers, resident engineers as well as staging and implementation assistance. Support contracts offer 24/7 access to technical support, a customer support portal and software updates. Arbor Networks works with service delivery partners, that can provide additional information on cost, licensing and related services.
Constant and comprehensive monitoring of network traffic is an increasingly important tool for security analysts. Pravail Security Analytics uses a distributed set of collectors and controllers to accumulate, analyze and store network data. It also provides real-time analysis as well as visualization and analysis from multiple dimensions. The ability to loop through previously collected data and review for newly discovered attack signatures is especially important for applying the latest intelligence to events, even those that happened in the past.
Organizations that need the benefits of security analytics but may not have sufficient staff in house can benefit from working with Arbor Networks and its partners. Companies in regulated industries that need to protect private and confidential information may also benefit from a comprehensive security analytics platform such as Arbor Networks' offering.
Part one of this series explains the basics of security analytics products
Part two examines the use cases for security analytics
Part three looks at how to procure security analytics products
Part four compares the best security analytics products on the market