Malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify.
- Ponemon Institute’s Cost of Data Breach Study: Global Analysis
It goes without saying – the longer a security breach goes undetected, the greater the damage. As companies worldwide build out their incident response plans, many are investing heavily in forensic analysis solutions to better understand what systems were compromised in the event a breach occurs. Solutions like the FireEye Network PX Series Forensic Platform let security professionals quickly reconstruct the details of the attack and see what systems and records were compromised in the process.
As we all know from watching detective shows, forensic teams need to look at every shred of evidence to be effective. The same goes true for their InfoSec counterparts. If an IT forensic analysis tool doesn’t get all the network data – and years of it – it cannot possibly piece together what happened.
When beginning a computer forensic analysis and data capture project, security specialists must ensure that the appliance they use will be able to see every bit, byte and packet® of the traffic that flows in and out of the network. Therefore, a proper network design and connectivity plan is critical to ensure the success of the project.
When it comes to collecting network data, most people believe that all sources of information are created equal. That idea just isn’t true in today’s busy networks. When traffic is routed from a live network element – even a switch – there is a good chance that the element itself will corrupt the transmission. They can change frame timing, introduce delays and/or drop packets, especially during unexpected traffic spikes. While it might not be a big deal in the grand scheme of network management, it can be a real problem if the lost or corrupted traffic held the key to deciphering the source of a breach.
Instead of getting traffic information indirectly from a network element – connect forensic appliances to the network itself. For example, a network TAP in bypass mode is a purpose built hardware devices that when inserted into the network will copy all the information that passes by it and send it to a separate appliance for analysis – all without altering it. While they are used to support firewalls and other in-line security devices, they are also ideal for ensuring that all out-of-band appliances receive 100% of the information that flows through it.
To quickly diagnose security issues, you need to collect data across your entire environment. When forensic analyzers are connected to the network at multiple points (in front of and behind the firewall; on either side of web servers; inside the datacenter), infosec professionals can compare the data to see where and how traffic changes from system to system. Armed with more information, forensic analyzers can spot and analyze suspicious activity – and hopeful shut down attacks before a theft can occur.
When connecting forensic appliances, it is important to fit the network TAP to your environment’s exact specifications. Find out what type of cabling your network uses (copper or fiber) and the speed at which it runs (1G, 10G, 40G, 100G) and then choose the network TAPs that matches your configuration data.
The data capture element of a forensic analysis project works best when coupled with an optimized network design and connectivity plan. If you’re going to go through the effort of deploying a forensic analysis solution, why wouldn’t you do it right? Network TAPs represent a small percentage of the average security deployment project (5-10% max), however, their value to a security strategy is much higher. After all, if a forensic analyzer doesn’t see all the network traffic, it can’t solve the mystery or help companies limit their losses in the event a breach occurs.
If you’re getting ready to deploy a forensic analyzer FireEye and need help with network design, the designers at Garland can show you how to maximize visibility in the process.