Network Security Forensics
Information is the lifeblood of your organisation. Credit card transactions, employee data, sensitive company memos, and trade secrets that give your business its competitive edge, are all flowing freely through your network infrastructure—tempting hackers and cyber criminals.
Average total organisation cost of data breach (£ millions)
Security is a major business challenge that every IT organisation must address, and the scope of security threats continues to expand. Today external threats are a given, and insider threats are a growing concern as well, yet in the face of all this security teams are typically understaffed and often overwhelmed.
Meanwhile, the stakes are only getting higher. IBM’s 2016 Cost of Data Breach Study found that in the United Kingdom, the average total organisational cost of a data breach grew from £2.37 million to £2.53 million over the last year. These breaches can lead to lost revenue, a tarnished brand image, and customer churn. Malicious attacks can pilfer valuable intellectual property. Liability for lost customer data is potentially immense and governmental and organisational regulatory requirements are formidable.
When a breach occurs, an IT organisation must be prepared to deliver quick answers to these five critical questions:
- What was compromised, and what data was exposed?
- Who was responsible for the vulnerability?
- Who was responsible for the attack itself?
- Has the breach been resolved?
- Can the resolution be validated?
Closing the gap
Security operations teams have a multifaceted set of tools to address these problems and answer some of these questions. These tools include firewalls, intrusion prevention systems (IPS), security incident and event management (SIEM) systems, data loss prevention (DLP) systems, and many others. And while these solutions can detect or prevent breaches, they won’t necessarily help IT understand the full nature of an attack and the extent to which it was successful in compromising an organization’s IT assets and sensitive data. And they can’t always validate that the breach has been resolved and the data secured.
Fortunately, network groups can close these gaps and aid the security team in their efforts through packet-based monitoring tools that capture, store, and analyse vast amounts of network traffic. IT can use packets to reconstruct network conversations. These network conversations can provide the most complete picture of what exactly happened when the security breach occurred, or they can provide evidence that an attack was unsuccessful.
Leveraging packet capture for security forensics
The ability to capture and store all activity that traverses your IT infrastructure—like a 24/7 security camera—enables your NPMD (Network Performance Monitoring and Diagnostics) tool to serve as the backstop of your business’ IT security efforts.
Once a security team is alerted to a breach or attack by frontline security systems like firewalls or SIEM, IPS, or DLP systems, security engineers can use a packet-based analytical tool to isolate the event. Packet analysis can then recreate the relevant network sessions involved in the attack, identify the nature of the breach, track its lateral path through the network, and reveal what was compromised (and by inference, what data or assets were protected).
of enterprises use packet data in security incident investigations today, and another 30% would like to do so.
of organisations use deep packet inspection for security analytics and reporting.
of IT organisations store full packet captures for security investigations.
of enterprises maintain a historical baseline of network traffic data for performing behavioural anomaly detection.
No packet left behind
The undisputed leader in back-in-time analysis, Observer GigaStor is the perfect solution for your network’s security, compliance, and troubleshooting needs. For gigabit to 40 Gb links with available storage capacity of more than a petabyte, easy-select form factors are designed to scale with your organisation.
With the Observer Platform from Viavi Solutions teams can:
- Capture packet-level data useful in recreating actual traffic, ensuring they miss nothing in the investigation of a breach or network event
- With a number of form factors, select the configuration that’s right for the organisation, from a few terabytes to over a petabyte of capture capacity
- Choose from rack-mount, portable, and software options to capture and analyse traffic at the edge or in remote locations
Set baselines and alerts to ID anomalous traffic in real-time or back-in-time with easy-to-use interfaces built on sophisticated analysis algorithms
- Quickly understand key attack details, how it was perpetrated, exploits used, and which systems or intellectual property were compromised
- Use web-based trace extraction to integrate with complementary third-party real-time security tools. GigaStor is now certified to work with Cisco FirePOWER IDS solution and can easily work with other products that can interface via REST API.