Over the course of the last few years, the number of publicized breaches has risen dramatically, ultimately costing some CXOs their jobs. The irony is that in many cases, the breach itself is not the cause of their dismissal, but rather it is the handling of the situation after the breach is discovered and how quickly the executives can assemble the answers. It takes considerable talent and time (often weeks or months) to work through the incident response (IR) process within most organizations. Also, while protection and maintenance of the security equipment is generally owned by network and policy teams, the post-IR role almost always falls to a security analyst or security operations center (SOC) engineer. A toolset has emerged to complement and accelerate the IR process, a technology that NSS Labs defines as continuous forensic analytics (CFA.)
Over the last few months we’ve been researching CFA technologies. Our research will include guidance on the products, use cases, and leading vendors. Defined as a network-based packet capture tool, a CFA product functions by extracting metadata and enabling the reconstruction of sessions, source/destinations, and payload information via automated or structured queries. Clearly, having the ability to map exactly what was taken, when, and from what host (and having the ability to see if a peer is experiencing the same issues) – is a valuable tool. The same analysis performed with a security information event management (SIEM) platform would require considerably more talent and time to develop.
There are no perfect security products – no silver bullets – to protect you if you are the target of a determined hacking organization. However, possessing the means to quickly identify anomalous behavior, remediate vulnerabilities, and block exfiltration of data could minimize the effects of a breach.