TLDR: Metadata and anomaly analysis are good first-pass detection in the SOC. However, metadata delivers only circumstantial evidence, not concrete proof. For proof, you need decrypted visibility to the packet and payload traffic.
Read Time: 2 minutes, 6 seconds
When packets are encrypted, circumstantial metadata evidence and behavior anomalies are all that SOC analysts have to go on. Alert triage and triangulation takes time. SecOps analysts will ask, “Is this alert legit? Is it a false positive? Is it a real threat that needs escalation?”
Just like a detective, a good analyst will be able to solve the case eventually, but they’d like to be able to solve it fast. The difference between spending time to determine if there’s even a problem, or if it’s just someone working late at night in a remote location, can be the difference between a real threat getting through vs. being stopped.
Metadata and context-based solutions like log, netflow, anomaly detection and JA3 are important arrows in the security professional’s quiver; but these should rarely be relied upon as the sole solution. For that, decrypted visibility is the only solution that delivers hard proof instead of circumstantial evidence.
Nubeva Video: https://www.youtube.com/watch?v=AFZCdh6MBN0&t=2s
Metadata-based analysis may tell you there is a party going on in a certain house on a certain street if you know enough to look in that neighborhood. But it won’t tell you who is at the party or what they’re doing in the house. Is it a dinner party or a flash-mob? Were the people invited or are they crashing? To see the people at the party, you need access to packets.
In many organizations that rely only on metadata for security monitoring, they may see the party in progress and then turn on packet capture. If all goes well, they might get a peek inside the house while the party is still happening. Unfortunately, by the time pcaps and tcpdumps are running, the party is over. This means the analyst monitoring the situation has to wait and hope that another party in the same house happens again. Only then can the SecOps analyst catch a glimpse of who is attending and what’s going on in there.
With on-demand, real-time decryption, you get concrete proof instead of more circumstantial evidence. With decryption, your IDS, DLP, DPI and visibility tools like Wireshark and Moloch can see the payload, you can evaluate the packets and spot the malware, the privilege escalation, the data exfiltration. In short, you can weed out the junk.
Ultimately this means faster validation, escalation and resolution times.
It means more certainty and less guess-work.
It means rapid triage that allows you to focus on the most important events and alerts that represent real threats.
It means better security, greater visibility and faster speed.
For more on decryption, visit www.nubeva.com/decryption