Data security is a race between attackers and defenders. Attackers win when they can commit their crimes—stealing data, encrypting files, or performing some other destructive act—before being detected and stopped. Defenders win when they detect an attack and stop it before any harm is done.
Unfortunately, these days, the attackers seem to have time on their side. The typical security attack lingers undetected on an enterprise network for an average of 229 days, according to researchers. That’s over 7 months of free time for stealing data and committing some other act of cyber crime.
Why does it take so long to detect security attacks? One reason is that today’s attacks are increasingly subtle and sophisticated. But another reason is that, once an attack slips past network defenses and hides on the network for even a few days, the amount of hard evidence that security analysts have access to falls off dramatically.
In the first two days, security analysts are likely to have access to network forensics data with stored packets containing the attack itself. After two days, the evidence shrinks to mostly derivative data—some log files here, some metadata there. These can sometimes provide indirect clues about what really took place, but it’s far less useful than being able to explore the actual traffic containing the attack itself.
We created Savvius Vigil, our state-of-the-art security forensics solution, precisely to address this problem. Savvius Vigil builds on security tools that enterprises have in place, such as SIEM systems and their IDS/IPS capabilities.
When a SIEM system raises an alert about suspicious traffic, Savvius Vigil stores the network traffic immediately preceding and following the event for forensic review. It integrates events from multiple sources, including network conversations with specified IP addresses. Traffic between relevant nodes is captured before and after the triggered events. Optionally, all related traffic to and from an event’s IP addresses is captured as well.
Savvius Vigil saves only traffic that has been deemed suspicious; all other traffic is eventually discarded. What’s left is a repository of suspicious events—packet-level-details and all—that security analysts can examine once they suspect that an alert is genuine and not a false positive.
Now, thanks to Savvius Vigil, security professionals investigating a security attack that is days, weeks, or even months old can take advantage of packet-level network traffic in their investigation—something previously unachievable.
“By automatically storing the appropriate network packets, Savvius Vigil enhances the ability of security analysts to quickly understand and respond to newly discovered threats,” says Keatron Evans, principal analyst at Blink Digital Security. “It allows us to go from notification of breach to completed analysis much faster.”
In the race between attackers and defenders, defenders just gained a powerful tool for speeding up the clock in their favor.