Most security experts agree that the rapidly changing nature of malware, hack attacks and government espionage practically guarantees your IT infrastructure will be compromised. According to the 2014 Cost of Data Breach Study conducted by the Ponemon Institute, the average detection, escalation and notification costs for a breach is approximately $1 million. Post-incident costs averaged $1.6 million.
Once an attacker is within the network, it can be very difficult to identify and eliminate the threat without deep-packet inspection. The right Application Performance Management (APM) solution that includes network forensics can help IT operations deliver superior performance for users, and when incorporated into your IT security initiatives, deep packet inspection can provide an extra level of support to existing antivirus software, Intrusion Detection System (IDS) and Data Loss Prevention (DLP) solutions. The ability to capture and store all activity that traverses your IT infrastructure acts like a 24/7 security camera that enables your APM tool to serve as a backstop to your business’ IT security efforts if other lines of defense fail.
To use APM solutions for security forensics for post-event analysis, you must have a network retrospective analyzer that has at least the following capabilities:
■ High-speed (10 Gb and 40 Gb) data center traffic capture
■ Expert analytics of network activity with deep packet inspection
■ Filtering using Snort or custom user defined rules
■ Event replay and session reconstruction
■ Capacity to store massive amounts of traffic data (we’re potentially talking petabytes) for post-event analysis
Like utilizing video footage from a surveillance camera, captured packets and analysis of network conversations can be retained and looked at retrospectively to detect, clean up and provide detailed information of a breach. This back-in-time analysis can be especially important if the threat comes from within, such as a disgruntled employee within a company firewall. It also allows companies to determine exactly what data was compromised and help in future prevention.
Below are five ways to use network monitoring and analysis to investigate breaches:
1. Identify changes in overall network traffic behavior, such as applications slowing down that could be a sign of an active security breach.
2. Detect unusual individual user’s account activity; off-hour usage, large data transfers, or attempts to access unauthorized systems or services — actions often associated with disgruntled employees or a hacked account.
3. Watch for high-volume network traffic at unusual times, it could be a rogue user in the process of taking sensitive data or stealing company IP.
4. View packet capture of network conversations to determine how the breach occurred and develop strategies to eliminate future threats by strengthening the primary IT security.
5. Discover what infrastructure, services, and data were exposed to aid in resolution, notification, and regulatory compliance.
By incorporating retrospective network analysis, companies can use their network monitoring as a back stop to IDS and DLP solutions, and accelerate detection and resolution.