Shoring up SOAR with deep packet inspection

John Bonzey portrait

by John Bonzey
published on: 25.04.2022

Modern companies depend on software applications run from a range of servers on a variety of devices. These applications, servers and other equipment may be physical or virtualized, but they all must run through a network managed and safeguarded by a wide range of security policies, tools and implementations. As traffic increases, these tools lead to an increased number of administrative overhead and complexities within the network, creating bottlenecks for the enterprise. Security orchestration, automation and response (SOAR) is a system for managing the proliferation of such tools and activities in a way that is well-integrated and does not require continuous human oversight.

Breaking down silos

The orchestration component of SOAR brings together various tools such as vulnerability scanners, behavior analytics, firewalls and IDS/IPS in a way that the net information garnered is greater than the sum of its parts. This process, through the vast amounts of data procured by it, can also be automated so that the SOAR system can intelligently run analyses for each possible security incident, yielding diagnoses that can initiate the appropriate response. Overall, SOAR endeavors to automate the collection of security incident information, coordinate the collection of inputs between different network security tools, automate their analyses using human and machine intelligence, automate the definition and sequence of responses, and thus coordinate a standard incident response framework for the entire network and all users.

Traditionally, aggregating information from various network tools, diagnosing issues and deciding on a response required a central security management team. Such a workflow leaves each tool working in a silo without feedback from other tools and does not yield a cohesive response framework with consistent prioritization mechanisms. SOAR systems, however, circumvent this by bringing everything together in a logical methodology that diagnoses the root cause of a problem and brings forth harmonized responses to various aspects of it. By doing this, SOAR protects network assets and infrastructure, sustains network performance and guarantees customer experience.

Visibility: SOAR’s invisible component

In order to implement this orchestration, automation and response framework, it is necessary to first know what is going on in a network. In other words, network intelligence is of paramount importance. An advanced deep packet inspection engine such as R&S®PACE 2 by ipoque is an addition to a security armament that provides just this. The OEM DPI software R&S®PACE 2 delivers network traffic identification and classification using behavioral, heuristic and statistical analyses and also performs metadata extraction. It enables the identification of suspicious behaviors, anomalies and malicious traffic and the classification of packets by protocols, applications and services, extending this to traffic flows that are encrypted, obfuscated and anonymized. Additionally, such information is presented not post-facto, but in real-time.

The functionalities of R&S®PACE 2 complement each of the aspects of security management defined by SOAR, namely data aggregation and analysis. This essentially builds on the ability of R&S®PACE 2 to deliver network traffic insights to a wide range of security tools. With SOAR, the role of the DPI engine R&S®PACE 2 becomes even more pertinent as it goes beyond detecting threats on the network to supporting the orchestration of multiple security tools with highly accurate, centralized network intelligence. This intelligence also fuels security automation by using AI techniques such as ML and DL and is particularly critical in realizing an effective response system that involves various triggers and actions across very disparate tools deployed to monitor, prevent and manage security threats on the network.

How does DPI-driven analytics support security orchestration and automation?

Specifically, R&S®PACE 2 can trace and provide real-time information and analysis on a wide range of activities that can be precursors to security attacks. These include a surge in the number of requests for an application or from a single user, concurrent requests from a single device or unusual authentication activity such as multiple password re-entries as well as unusual patterns of requests to connect to sensitive sites (e.g. banking sites).

It can also identify abnormal behavior by an individual user, for example, a large number of outgoing emails or a sudden surge in bandwidth consumed. Continuous denial of service by an application, a sudden drop in traffic, slowing speeds, high latency and poor SLA fulfillment are other indicators on the application and network end that can allude to an attack. These abnormities can be detected at the resource level in the form of elevated CPU and memory usage, network devices and functions that show signs of malfunctioning in the form of low outputs and speeds, and other network errors such as high packet loss.

This data, when built into SOAR along with the corresponding monitoring frequencies and acceptable thresholds, creates a repository of input data that can be used to orchestrate and automate security actions. The same data can be leveraged to support incident diagnosis via granular insights on protocols, applications, services, users, devices, network points, infrastructure, links, clouds, etc. which can be either the source or the target of security attacks. For example, overuse of an email application can indicate its involvement in phishing activities. Slow speeds and high latency can indicate that network resources are being diverted to undesired activity, like DDoS attacks, as can high resource usage, while a surge in bandwidth can be a marker of illegal tethering and a massive data breach.

SOARing with DPI

When it comes to incident response mechanisms, R&S®PACE 2 identifies the target of these responses and provides feedback into the effectiveness of each response. This can be at the first level of responses which include blocking, quarantining or denial of packets, protocols and applications, blocking of devices and users, and continuous scrutiny. It extends to the implementation of additional security screening of incoming flows, or extra authentication for particular groups of users, applications, or sources of traffic. DPI also helps at the second level of response by identifying vulnerabilities in the network that require continuous tracking, and the corresponding alerting mechanisms that need to be put in place, for example, automated alerts to application managers or network administrators. R&S®PACE 2 can also be deployed to track the effectiveness of these responses with post-implementation data gathering on the relevant users/applications/infrastructure.

Overall, while SOAR is a thorough improvement on legacy methods of analyzing and responding to threats, it is still lacking capabilities in procuring reliable intelligence. It is for this reason that SOAR is best paired up with a sophisticated network traffic visibility tool, such as R&S®PACE 2 by ipoque. Together, the two can secure corporate networks and operations fully, from the merest apprehension of a threat to its comprehensive nullification.

John Bonzey portrait

John Bonzey

Contact me on LinkedIn

John Bonzey is the sales manager for the American market, which he opened successfully for ipoque since joining Rohde & Schwarz back in 2013. John has strong expertise in software and hardware system solutions for network operators, enterprise and OEM market segments. John lives with his family in Boston, Massachusetts and is a passionate ice hockey player and adventurous snowmobiler.

Email: John.Bonzey@rsa.rohde-schwarz.com

Related material

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for our newsletter

Stay informed about the latest news and insights from ipoque