While 2016 isn’t quite over, we’ve already hit a new record for the number of major data breaches reported. In fact, according to CompTIA, three out of every four organizations surveyed identified they had at least one breach in the past year. As we roll into 2017, it’s time to face the cold, hard truth that it’s no longer a question of if your organization will be successfully attacked, but just a matter of when. Solid perimeter security is of course necessary to limit your exposure. However, if your security prevention plans only include building a wall, you will likely be scrambling for a response when the inevitable occurs.
Analyst group Gartner, in their 2015 report titled Network Performance Monitoring Tools Can Play a Critical Role in Responding to Security Breaches, points out that “Access to historical data collected and analyzed by NPMD solutions offers the most compelling use of network forensics. This allows the analysis of past network events for newly discovered threats that traditional IDS/IPS solutions will fail to detect a security breach if they lack a specific signature” (Ganguli and Orans).
When it comes to having a credible attack response plan, your InfoSec analysts need more than just threat alerts when an attack is in progress. While some attacks, such as Distributed Denial of Service (DDoS) happen suddenly, others such as Advanced Persistent Threats (APTs) can stay under the radar for a long time, slowly collecting information needed for a breach over months or even years. Because of this, analysts also require access to behavioral analysis tools that provide network forensics that can show the context of how that specific attack vector correlates to activity on the network.
Equally important is the ability to track morphing worms or bots and gauge the effectiveness of your threat mitigation efforts while you are still within the “golden hour” – before damage from the breach has occurred. With the cost of a single cyber crime incident in the U.S. reaching $15.4 million in 2015, saving minutes while you’re trying to understand and mitigate a threat could be the difference between success, and a very costly failure.
As you are reviewing your threat mitigation protocols for 2017, you should be including network forensics into your plans—and if you’re not, you should be rethinking them.