Network Forensics & Security Analytics

Symantec Security Analytics Plays Key Role in NIST Practice Guide

NIST created the Detecting and Responding to Ransomware and Other Destructive Events Practice Guide to assist organizations in the fight against ransomware and other destructive events.

What is NIST?

The U.S. Congress established the National Institute of Standards and Technology (NIST) was founded in 1901. NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST strives to be the world's leader in creating critical measurement solutions and promoting equitable standards. Their efforts stimulate innovation, foster industrial competitiveness, and improve the security of organizations.

NIST has developed the Cybersecurity Framework – a policy framework of security guidance on protecting and developing resiliency for critical infrastructure and other sectors to improve their ability to prevent, detect and respond to cyber attacks – which has found adoption worldwide.

 
What is the NIST NCCoE Project?

The National Cybersecurity Center of Excellence (NCCoE), a part of NIST, is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses' most pressing cybersecurity challenges. The NCCoE applies existing standards to develop an easily adaptable example of cyber security solutions using commercially available technology.

Due to the increasing threat from ransomware and other large-scale cyber events, NCCoE at NIST looked at lessons learned and created the Detecting and Responding to Ransomware and Other Destructive Events Practice Guide to help organizations detect and respond to data integrity events. More specifically, for the first time, this project looked at the entire lifecycle of a data integrity attack. The project provides practical, real-world guidance, following the principles in the NIST Framework for improving Critical Infrastructure Cybersecurity to combat ransomware, malware, insider threats, and even honest mistakes that present an ongoing threat to organizations' infrastructure. 

This project included the development of a reference architecture using commercially available technologies, working in concert, to show an example solution that various organizations can use as a guide to implementing more robust security controls within a network. 

How was Symantec Security Analytics involved?

The NCCoE sought existing technologies that provided the following capabilities:

• event detection 
• forensics/analysis  
• integrity monitoring 
• logging 
• mitigation and containment  
• reporting

Security Analytics was purposely selected as a forensic/analytics component to aid in the overall solution of the capability needed to understand the source and scope of a Data Integrity (DI) event while preserving the full (historical) network evidence. Security Analytics acted as a DVR during the various test cases. It captured, indexed, classified, and enriched all network packets to recreate the compelling artifacts. Security Analytics performed extensive traffic analysis and created reports for all network traffic and related events. 

ArcSight was used for correlation capabilities of logs collected from almost all the other components. Symantec's Information Centric Analytics (ICA), a User Behavior Analytics component, provided additional analysis capabilities for logs as well as aggregation - visualization of certain potentially malicious movements within the enterprise. 

NCCoE Analysts pivoted directly from ArcSight Alerts into Security Analytics to get the full contextual details and necessary evidence needed. They were able to see the complete picture of all events happening before, during, and after an alert.

Figure 1: integrating Security Analytics with ArcSight

The NIST exercise validates that Forensic and Analytics Capabilities are mandatory for informing and fostering an organization's defense against current and future attacks. Furthermore, it just isn't possible to know every future attack; this is one of the biggest reasons our customers rely on Security Analytics for full network capture, monitoring, and incident response support.

We want to thank the NIST NCCoE team for allowing Symantec the opportunity to participate and help expose the need for network forensics and incident response as part of protecting against ransomware and other destructive events. We are happy to support NCCoE with the operationalization of our solution and the ability to train on various scenarios and use cases.

Download the full report here:

https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/detect-respond