What Is Network Metadata, and Why Do I Need It?
Data, data everywhere, but what to keep and use? In the era of near-total data, SOC teams and analysts can become swamped by the sheer volume. And that’s before we even get to the cost of data ingestion and storage! In this blog, we will explore the value of network metadata, and why we just can’t get this level of visibility elsewhere.
Whooah! Back-up for a second… What is network metadata?
Network metadata is a record of all communications that occur within the network. It records the what, when, where and whom of network communications. Network captures (pcaps) are full-fidelity data streams where the connection and payload information are captured. Pcaps are unwieldy due to their size and tend to be used only in highly targeted scenarios. Network metadata provides similar visibility to pcaps. However, network metadata is far more scalable and can enable whole network monitoring.
We already have firewall logs – so we’re covered, right?
Wrong! Firewalls are typically deployed as perimeter defence. They typically only see traffic as it transits across the firewalls. Firewalls give zero visibility to that traffic once it leaves the device and are totally blind to internal network traffic.
Whole network metadata solutions leverage network TAPs or SPANs to capture traffic within your network as it moves out-in, in-out and in-in. This gives visibility as the traffic comes in from the outside, as well as for all traffic regardless of origin as it traverses your internal network. Whole network metadata therefore delivers unparalleled visibility into all traffic in your network.
But we have EDR and event logs - don’t they give us full visibility into internal network traffic?
Nope – Endpoint Detection and Response (EDR) and event logs are an excellent source of information, but do not give you full visibility into your internal network traffic. Typically, EDR and event logs will only cover managed devices. They will not cover unmanaged devices, IoT devices, network printers, IP cameras or even connected thermostats! Unmanaged devices can frequently be the source of a network intrusion and can be used by an attacker to gain persistent access to the network.
Relying only on EDR and/or managed device event logs can result in playing a game of whack-a-mole with the attacker as you struggle to find how and where the attacker is hiding in your network.
Vectra’s approach to network metadata – and what you can do with it!
Vectra Detect finds attack behaviours in your network across managed and unmanaged devices.Our network metadata compliments our full-network behavioural detections by enabling you to fully investigate and take decisive action in rooting out the attackers.
Vectra network metadata is Zeek-formatted (aka Bro) so you can quickly and easily migrate your existing Zeek workloads. Starting from scratch with Vectra network metadata is also quick and easy since you can easily leverage content created by the large Zeek community.
Vectra has substantially enhanced the network metadata through the addition of concepts such as Hosts. We also incorporate AI and ML enrichments to better understand and contextualize the data. Vectra continuously invests in these enhancements in conjunction with our world-class security researchers and data science teams.
Vectra Stream is a data-pipeline product that enables you to store this data in your SIEM, data lake or cloud storage. Vectra Recall is a hosted data platform that guarantees availability and operability of data and unlocks additional value from that data. Leveraging Recall and/or Stream enables you to investigate, hunt, analyse, and fulfill compliance and audit scenarios.
Vectra’s tremendously powerful, AI and ML-enhanced network metadata enables you to:
In addition, you can leverage Vectra Recall to: