We see time and time again in our incident response practice department scenarios where long-term systemic malware resides in a seemingly secure environment for months at a time.
One of the first burning questions that everyone wants to know is “How did this happen!‽?” Quite often the pathways that such infections traverse are covered up in milliseconds and can get lost in a sea of reporting data that may not still be available. If logs are cleared and no data is collected off the network determining the origins of an event can be next to impossible.
Logging and event monitoring solutions are a great idea for a company who does not have the internal expertise or resources to aggregate, monitor, and audit those logs. Many devices have logging features from routers, switches, security appliances, virtual emulated machines, servers, and just about every device on the network. Being aware of the environment is key, there can severe alterations in the network configuration without any disruption to network traffic or data flow. In fact, many organizations that have compromised environments are often vulnerable for months before discovery.
The ability to inspect and archive every data packet on every port that travels across the network is the best way to analyze real time infiltrations, and determine its origins and root causes. There are good solutions for packet capture and real-time monitoring. Network appliances are dedicated machines that offer specialized unique functions and capabilities for an administrator. These solutions allow an administrator to have more visibility into the network, and pinpoint exactly where and when security incidents occurred. Now more than ever where minutes can be eons to a well crafted attack, having full control over logs and traffic transparency is key to the fastest resolution and root cause analysis. Unlike firewalls, packet capture appliances can store all the network traffic for any length of time. This data can be referenced to see exactly how a security incident occurred.
The key to due diligence is preparation, running through exercises, testing the security measures in place, and continuous improvement. Halock offers incident readiness training that can help a team be prepared to identify and stop security breaches. We can also recommend solutions tailored to your environment that help inspect traffic and add a layer of transparency necessary for next generation attacks.