Use Cases

NETSCOUT Omnis IDS in Action Use Case


Issue link:

Contents of this Issue


Page 0 of 5

l USE CASE l E N T E R P R I S E Issue As part of their daily network monitoring activities, the company's SecOps team identified a potential security event, which prompted issuance of associated service ticket. In response, a front-line Tier 1 Security Analyst used the NETSCOUT Omnis IDS to conduct preliminary investigation into this event, recognizing that solution allows for effective and timely event response as incidents occur, which is critically important to SecOps teams everywhere. Impact Given the location of security event across data center operations and the user's information regarding the impact on host server performance, transaction delays associated with this issue could result in result in lost productivity or, in a worst-case scenario, service downtime. Troubleshooting Accessing network events data aggregated by Omnis™ IDS Sensors deployed across the company's network, the Tier 1 Analyst commenced the investigation workflow by using the Omnis™ IDS Manager Explorer Timeline, Filter and Search, and Total Events Counter features. As part of this initial investigation, the Tier 1 Analyst contacted the internal user identified as potentially being impacted by this event. While this user reported issues with a host server running sluggishly (even confirming or affirming the host's IP address address), the employee could not identify any recent actions or configuration changes that could be linked to potential root cause. Even at this initial stage of the investigation workflow, using Omnis IDS, the Tier 1 Analyst could see there was a high number of events in the general report timeframe identified in the service ticket – nearly 200,000 of them, to be exact. As exhibited in Figure 2, however, a high volume of them were associated with two IP addresses, with Omnis IDS immediately easing the workflow for the Tier 1 analyst as a result. Narrowing the IDS Explorer event timeline to correspond to the user- reported service issue enabled the Security Analyst to see relevant details associated with the host server IP address ( initially shared by the user and recorded in the service ticket. NETSCOUT Omnis IDS in Action Use Case – Exporting Events to Security Ecosystem to Troubleshoot Ursnif Malware A new breed of cybersecurity threats has garnered extensive media coverage, with some industry reports citing a 900% increase in malware instances in calendar year 2020. However, as described in this Use Case, a malware attack need not be part of this new breed of cybersecurity threats in order to impair business service performance. Lastly, we know that it's not if, but when the events happen, and whether organizations are truly prepared to address those events rapidly, succinctly, and with repeatable processes. For the Security Operations (SecOps) team profiled in this Use Case, the NETSCOUT Omnis Intrusion Detection System (Omnis IDS) improved the efficiency of their malware identification and response processes. Omnis IDS also enabled SecOps analysts to use established workflows in their Splunk Enterprise security information event management (SIEM) remediation tool by enabling the universal forwarder to export events to Splunk for complete visibility and correlation with other security systems.

Articles in this issue

Links on this page

view archives of Use Cases - NETSCOUT Omnis IDS in Action Use Case