How NPMD Tools Can Help Investigate Data Breaches

Network Monitoring , Security

By | 27/03/2017

Network MonitoringSecurity

How NPMD Tools Can Help Investigate Data Breaches

A 24/7 Security Camera for Your Network

You have just discovered that your perimeter defences were breached and you think that sensitive customer data has been stolen. When GDPR comes into force in May 2018 you will need to report a breach to the relevant supervisory authority within 72 hours of becoming aware of it (unless “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,”). Failing to notify a breach when required to do so could result in a hefty fine up to €10 million or 2% of your global turnover.

Some of the important questions you will need to answer are:

  • What types of data were leaked
  • How many registered parties the leak involves
  • What are the consequences to those registered parties

Finding this information isn’t going to be easy – especially if you can’t examine all the packets. It’s like trying to recall a crime with crucial gaps in your memory. For an investigation to succeed you need the ability to capture and store all activity that traverses your IT infrastructure—just like a 24/7 security camera.

NPMD to the Rescue

Many enterprises will already have NPMD (Network Performance Monitoring and Diagnostics) solutions that are capable of storing vast amounts of packet-level traffic collected from a variety of network topologies; from the core, edge, and branch. Whilst network teams will be routinely using the packets for network troubleshooting, they might not be sharing them with the security teams to help in their investigations.

“IT operations teams must leverage network forensic evidence collected by NPMD solutions to help security operations teams solve difficult security problems”

Gartner Research

Once a security team is alerted to a breach or attack by a frontline security system they can use a packet-based analytical tool to isolate the event. Packet analysis can then recreate the relevant network sessions involved in the attack, identify the nature of the breach, track its lateral path through the network, and reveal what was compromised (and by inference, what data or assets were protected).

Packet-Based Security Forensics – A Next Generation Approach to Attack Remediation

This white paper explains the importance of packet capture and forensic analysis to security operations, examines the dynamics of this growing collaboration between security and network teams, and explores a leading platform in this market from Viavi Solutions.

Download Whitepaper

Vital NPMD Security Features

An effective solution must offer:

  • High-speed (10 Gb and 40 Gb) data centre traffic capture

The data centre is at the core of today’s IT infrastructure. Given the volume and speed of traffic—and therefore increase in potential threats—your NPMD solution must be faster.

  • Expert analytics of network activity

To find the specific illicit event among millions of legitimate packets you need analysis tools that offer deep-packet inspection to quickly assist in determining when and where a particular anomaly or unexpected incident has occurred.

  • Filter using custom-defined rules

The ability to filter packets against these known threat signatures and alert when detected is critical to resolving many malware events.

  • Event replay and session reconstruction

Rooting out emerging threats means being able to rewind a network to view past events, often down to individual network conversations.

  • Capacity to store petabytes of traffic data for post-event analysis

Since it is often not until after intrusions occur that breaches are detected, it is critical that network traffic is maintained for a relevant period of time (we recommend a month if possible). This enables the NPMD solution to act like a surveillance camera that is always on.


Firewalls, anti-virus software, IDS and DLP systems are necessary but no longer sufficient to achieve the most robust protection or obtain detailed evidence necessary for complete resolution and documentation of cyberattacks and IT breaches. With the capabilities to act like a 24/7 security camera by storing network traffic for extended periods of time and perform deep packet inspection, NPMD solutions like Observer GigaStor enable administrators and security personnel to efficiently detect and root out intrusions, malware, and other unauthorised activities within the IT infrastructure. In a world of ever-increasing cyberattacks, malware, and internal espionage threats, the right NPMD solution can act as the final defence and provide the quickest path to recovery.

LIKE THIS ARTICLE? SHARE IT. linkedintwitter