How to use data forensics to secure enterprise networks


The three key stages of the security lifecycle are prevention, detection and remediation. Why state the obvious? Because something is seriously skewed in how enterprises currently approach security and in particular, security spending.

First there is prevention, which includes tools such as antivirus software and firewalls to keep the enemy at the gates. Detection involves intrusion recognition systems that identify an attack once it has breached the network perimeters. Finally, there is remediation. This includes network forensics that provide information about the “DNA” of an attack and addresses any impact that an attack may have had on the network.

A losing battle

Unfortunately, many enterprises don't consider remediation an important strategy in the battle against malware. That is reflected in enterprise security budgets. According to industry analysts at Gartner, enterprises spend just over $10 billion on prevention and detection and a little more than $200 million on remediation. That works out as 50 times more for prevention and detection than on remediation. Yet, despite this, enterprises still feel like they are losing the battle against cybersecurity. Something has got to change.

Often, security failures can be traced back to poor “housekeeping” in the form of patching, exercising caution with suspicious emails, restricting privileged user access and so on. However, with each new day malware gets more complex, diverting further resources and making it harder for IT teams to keep up. As the State of the Network 2017 survey revealed, 80 percent of network teams are spending more time on security than ever before.

A big flaw with current prevention measures is that they target known attack vectors. So, tomorrow's newest piece of malware, ransomware or zero-day assault packed with new exploits could bypass the prevention and detection systems of today and carry out a surprise, blistering attack on the network.

It is time for data forensics 

When an adversary is so shadowy, elusive and yet capable of devastating attacks, organizations need a better approach. Studying the enemy in depth is the first step.  One approach that is proving very effective is looking directly to the wire - packet data. Packets contain information that even a cybercriminal cannot manipulate. Enterprises can conduct analytics of the packets going over the network to examine the forensics. Think of this as examining malware with a tamper-proof surveillance or CCTV camera. The bottom line is: packets never lie and are even admissible in court as evidence.

This approach places more emphasis on the remediation aspect of the security lifecycle. Network forensics from packets can reveal incredible detail about malware. Network forensics enable enterprises to answer the: who, what, where and when of an attack. Used consistently, rather than after the event, organizations not only get a bird's eye view of the threat landscape, but packets allow security teams to troubleshoot, isolate and identify problems affecting the network - faster. Packets reveal propagation mechanisms, attack vectors, and type of breach, as well as showing the exfiltration path of stolen data even when it is encrypted.

By revealing the adversaries' modus operandi, packet forensics arms security teams with vital intel to prevent attacks. Here are the top five ways enterprises can use the information gleaned from packets: 

1.      Trace the attack: Organizations using packet analysis can trace the attack back to the first infected computer. Examine how it was compromised and work from there to gather intelligence to trace the malware. Security teams can stop it in its tracks if, for instance, they are able to fortify firewalls and strengthen endpoint security.

2.      Establish parameters: With the intelligence from packets, security teams can get notifications when SMBs and protocols carry instructions to delete large quantities of files. This would have been extremely useful with WannaCry and Petya/NotPetya which used SMB/Samba (version 1)

3.      Do you know your normal: Once enterprises are aware of what constitutes “normal” traffic on their network, they can identify abnormal behavior. The more you know about the network, the more you can be protected, proactive and prepared.

4.      Know thy enemy: With packet analysis, security teams can retrospectively analyze the data from the time of an incident to track the breach – and then search and destroy the malware faster.

5.      Survive the data surge: Despite the dizzying quantity of data, with the help of appliances applying automated intelligence, security teams can capture and store up to a petabyte and quickly identity the exact moment a problem occurred to troubleshoot.

All too often, the remediation aspect of the security lifecycle is under-utilized and overlooked. It is clear that network teams are struggling to keep up with the onslaught from malware attacks and it is certainly not for a lack of trying. The base level activities that protect networks and enable damage limitation are all needed, like updating patches, restricting the amount of admin rights granted to access directories, running back-ups and strengthen their endpoint defenses.

It is also clear that the current focus on prevention and detection alone points to an overall strategy that is failing miserably. Cybercriminals regularly evade these measures and in response IT teams need to up their game. Better intelligence would help them respond to attacks faster. Remediation, especially in the form of packet analysis, is the most effective way to guarantee tamper-proof intelligence that goes right to the heart of the crime scene.

Are you ready for battle?

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.