Threat Hunting
SentryWire is a full packet capture system that enables security teams to use new information on previously collected data to locate indicators of compromise and active threats attempting to evade detection. Threat hunting with SentryWire as a primary data source maximizes your security teams effectiveness by providing full packet analysis, analytics, reporting, improved alerting, retroactive signature-based searches, and file artifact carving all in one.
An extended storage timeline of packets and corresponding logs provides multiple points of alignment for an organizations Data Retention policy:
Historical
Intrusions are almost never noticed or alerted on when they happen.
Operational
Identify sharp increases or decreases in network traffic
Strategic
Apply analytics and advanced statistical analysis to your network log data
Legal
Assist federal and local law enforcement agencies with investigations, SentryWire does not alter captured packets in any way allowing for a chain of custody to be established and used in legal proceedings as needed
SentryWire leverages a combination of network detection mechanisms to provide a flexible, lightweight, and adaptable Network Security Monitoring (NSM) capabilities for analysts who are tasked with protecting their organizations proprietary data and assets on their network.
SentryWire was designed to give analysts everything they need to identify and validate threats using network data for efficient and effective threat hunting. The Cybersecurity threat-scape is disproportionately asymmetric, advanced threat actors often need only one or two vulnerabilities to penetrate a network and from a prevention perspective this can be rather difficult considering how often new vulnerabilities are published. An adversary must use the network in order be successful in their attack, and fortunately it is very difficult for them to be perfect in a network environment where they must rely on some form of automation for their attack. This is where the importance of having a packet capture system with an efficient detection capability comes into play and lets your threat hunters turn what might have started with only a single anomaly or trace into a dozen indicators after reviewing packets and the corresponding log data.
Previously with traditional IDS systems a SOC team could spend almost all of their time in passive and reactive mode, passively waiting for an alert to trigger then determine whether the alert is a false positive or a true positive and only after establishing a true positive would an investigation start. Organizations using legacy systems that keep their analysts in a reactive-detection pattern will always struggle to have an edge and catch attack before it has time to promulgate, consider that advanced threat actors will simulate their attacks in labs on equipment similar to that of their target environment -this level of planning largely makes traditional reactive detection ineffective for detection.
Analysts with access to SentryWire and utilizing active detection techniques to hunt threats will typically not only have a much higher probability of detecting APTs attacks, they will also do it much faster. When facing a “zero-day” vulnerability the contrast between analysts with and those without access to full packet capture with an extended timeline is even sharper; packet data may be the only data source they have and systems with minimal storage of days will not suffice.