How NPMD Tools Can Help Investigate Data BreachesMarch 27th, 2017 by Sam Cobley
A 24/7 Security Camera for Your Network
You have just discovered that your perimeter defences were breached and you think that sensitive customer data has been stolen. When GDPR comes into force in May 2018 you will need to report a breach to the relevant supervisory authority within 72 hours of becoming aware of it (unless “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,”). Failing to notify a breach when required to do so could result in a hefty fine up to €10 million or 2% of your global turnover.
Some of the important questions you will need to answer are:
- What types of data were leaked
- How many registered parties the leak involves
- What are the consequences to those registered parties
Finding this information isn’t going to be easy – especially if you can’t examine all the packets. It’s like trying to recall a crime with crucial gaps in your memory. For an investigation to succeed you need the ability to capture and store all activity that traverses your IT infrastructure—just like a 24/7 security camera.
NPMD to the Rescue
Many enterprises will already have NPMD (Network Performance Monitoring and Diagnostics) solutions that are capable of storing vast amounts of packet-level traffic collected from a variety of network topologies; from the core, edge, and branch. Whilst network teams will be routinely using the packets for network troubleshooting, they might not be sharing them with the security teams to help in their investigations.
Once a security team is alerted to a breach or attack by a frontline security system they can use a packet-based analytical tool to isolate the event. Packet analysis can then recreate the relevant network sessions involved in the attack, identify the nature of the breach, track its lateral path through the network, and reveal what was compromised (and by inference, what data or assets were protected).
Vital NPMD Security Features
An effective solution must offer:
- High-speed (10 Gb and 40 Gb) data centre traffic capture
The data centre is at the core of today’s IT infrastructure. Given the volume and speed of traffic—and therefore increase in potential threats—your NPMD solution must be faster.
- Expert analytics of network activity
To find the specific illicit event among millions of legitimate packets you need analysis tools that offer deep-packet inspection to quickly assist in determining when and where a particular anomaly or unexpected incident has occurred.
- Filter using custom-defined rules
The ability to filter packets against these known threat signatures and alert when detected is critical to resolving many malware events.
- Event replay and session reconstruction
Rooting out emerging threats means being able to rewind a network to view past events, often down to individual network conversations.
- Capacity to store petabytes of traffic data for post-event analysis
Since it is often not until after intrusions occur that breaches are detected, it is critical that network traffic is maintained for a relevant period of time (we recommend a month if possible). This enables the NPMD solution to act like a surveillance camera that is always on.
Firewalls, anti-virus software, IDS and DLP systems are necessary but no longer sufficient to achieve the most robust protection or obtain detailed evidence necessary for complete resolution and documentation of cyberattacks and IT breaches. With the capabilities to act like a 24/7 security camera by storing network traffic for extended periods of time and perform deep packet inspection, NPMD solutions like Observer GigaStor enable administrators and security personnel to efficiently detect and root out intrusions, malware, and other unauthorised activities within the IT infrastructure. In a world of ever-increasing cyberattacks, malware, and internal espionage threats, the right NPMD solution can act as the final defence and provide the quickest path to recovery.