automation tools to resolve an attack after it has been discovered ? Ponemon Institute ’ s 2015 Cost of Cyber Crime Study : Global reported a median resolution time of an additional 46 days ! So while it ’ s a good idea to store all of your network ’ s traffic for that time when you need to conduct an investigation , the sheer volume of the storage required makes it impractical and prohibitive for all by the biggest of companies .
Needle in a haystack But let ’ s assume for argument ’ s sake that you are able to store all of your network data . Even then , a post-breach forensics investigation can be challenging because it is still like looking for a needle in a huge haystack ; blindly searching through petabytes of stored information is unlikely to be successful in itself . So the best alternative lies somewhere in the middle . Finding ways to reduce the size of that haystack to a more manageable scale by collecting as many clues as possible to narrow down the investigation . One important source of clues is derived from the alerts generated by your network ’ s monitoring tools , such as intrusion detection ( IDS ) systems , authentication failures or unauthorised server access alerts . While manpower constraints may prevent you from a detailed investigation of all of these alerts in real time , using them as a way to select and index network ( packet ) data helps you narrow down the search very quickly when an attack is discovered . Studies have shown that most attacks DO trigger at least some alerts from the enterprise ’ s monitoring systems , although they may have been initially overlooked . However , when a breach is confirmed , reexamination of alerts – and the associated , saved packets – can rapidly pinpoint and explain what actually happened .
What can you expect from a network forensics solution ? From a purely security perspective , I think there are two key benefits : Transactional analysis . Network forensics solutions provide the ‘ ultimate audit trail ’ for all kinds of transactions , including e-commerce and banking . When server logs and other server based evidence does not provide sufficient data for characterising a transaction , network forensics enables IT teams to locate and examine the exact content and execution of an online transaction .
Security attack analysis . There are other tools that perform benchmarking and troubleshooting , but only a true forensics solution allows security officers and IT staff to characterise and mitigate an attack that slipped past network defenses . Network forensics enables investigators to find proof of an attack and to trace its effects on IT resources .
Finding and resolving breaches is certainly a daunting prospect for an enterprise of any size , but the key takeaway from this discussion should be that by putting a workflow in place to intelligently store key historical information – alerts and associated logs and ‘ suspicious ’ packets – that enterprise will be prepared to rapidly remediate the attack .
Memory data can be very useful if the attacker is still present in your computers , but they are often long gone and the memory erased .
35