Adding complexity to the new security landscape is the dramatic and relatively sudden increase in network speeds. Now routinely hitting 100 Gigabits per second, or roughly 70 million times faster than the typical network connection when firewalls were introduced, this poses a number of challenges, particularly in the area of security.
Network growth, along with the data deluge, puts a great amount of pressure on organizations to combat cyber-threats and analyze cyber-attacks in real time so that necessary actions can be taken with minimum delay.
With so much money, data and reputation to lose, IT security teams need to deploy a diverse strategy that does two things. First, it ensures all security prevention solutions have the necessary bandwidth and capacity to handle high-speed, high-volume attacks. Second, it not only ensures the security detection solutions are in place to detect anomalies in real time, but also to record network activity for deeper analysis and/or later detection of a past breach.
No single security solution can provide everything a network needs today. Traditional point defenses cannot adequately address the new, faster-moving, multi-layer threats and more sophisticated attackers. What’s required is a layered approach with defense-in-depth, where an organization not only relies on network security appliances for indications of data breaches but also network behavior analysis.
Here’s where continuously recorded network data comes in; it can be thought of as the “last security tool.” A network forensics solution should continuously capture all data 24x7, regardless of whether anything interesting is happening in a particular moment or not. Then, in conjunction with alerts from the other tools, the security team can investigate whether the event was a false alarm or something that needs to be actioned.
Moreover, they can see what happened after the breach and achieve the ultimate goal: determining all the assets the attacker may have accessed and whether he has truly been eliminated from their environment.
Data on Demand
Though there are tools that provide partial network recordings based on an event, that data is inevitably incomplete if the recording tool did not see anything it considered interesting. For effective network forensics, best practices today suggest complementing solutions that can record everything continuously at high speed. It must be purpose-built for this, since the demands for storage and indexing of this volume of data are much different than the architecture of other security tools.
Organizations can take real-time data capture a step further by introducing the concepts of data capture and retrieval-on-demand. The network forensics solution must provide an immediate and indexed answer to an investigator pursuing an event. It is crucial that security officers can quickly go to the time and place of the event to start analysis, and waiting several hours for this initial answer can cause serious delays while the attacker may still be inside.
IT security teams need the ability to see and review their data, but storing and analyzing every data packet can be a tiresome and expensive chore. A much more efficient solution is the ability to retrieve data on demand with a few simple commands.
Teams can call up packets from a specific time frame or server and more quickly determine the root of the problem. The network perimeter is strengthened by this multi-pronged approach.