3 Requirements for Effective Security Investigations

Friday, April 15, 2016

Tomer Saban


Most organizations lack the manpower and visibility needed to properly investigate every lead. Security teams are often faced with the choice of ignoring potential incidents, or devoting excessive resources in order to gain more understanding into what has happened. Automated detection followed by correlations to reduce false positives are indeed important steps in mitigating this burden, but the majority of work still relies on the actual investigation phase. Even the best-equipped analysts find themselves sorting through unrecognized sessions and mountains of packet captures, unable to provide quick answers to critical questions.So, how does an enterprise change this?

In order to provide security teams with the ability to react quickly and accurately to cyber-attacks and overcome technical and resource-related limitations, here are three fundamental requirements to consider:

1. Automate Data Analysis to overcome skill-set barriers

The ongoing skills shortage creates a major bottleneck in facilitating forensics investigations. Organizations must support users who lack deep expertise, so that security professionals at all levels can handle more complex investigations, escalate fewer tickets and resolve incidents faster. Forensics solutions may collect valuable data for investigating a threat, but if further manual analysis is required just to find the relevant data and understand what it means, it is likely to be lost in the shuffle. Security teams should not waste precious time drilling in sessions with Wireshark-like tools when trying to understand what is happening in the network. Teams must have the ability to enable a solution that analyzes data automatically, translating network packets and sessions into intuitive and searchable intelligence. This method not only saves time, but also money.

2. Complete Visibility Into User Behavior and Application Content

The traditional approach of correlating events from different sources using SIEM has proven insufficient. Enterprise visibility should extend beyond logs and flow data in order to validate security alerts and determine the extent of successful incidents. Security teams need immediate access to information assets traversing the network in order to answer questions like, “When was the data accessed?” “By whom?” “Where has it traveled to?” “What was in it?” This includes the actual payloads of network conversations, rather than just the metadata – the content of emails, chats, file transfers, business transactions, DNS lookups, search queries, authentications, as well as remote desktop sessions.

3. Greater retention periods of forensics data

The ability to look back in time to investigate historical security events is critical, but by the time you discover a breach, it’s usually too late. According to Mandiant 2015 Threat Report, an attacker has a free rein in breached environments for approximately 205 days before being discovered. Organizations are doing their best to collect data for forensics investigations, however, they are facing significant storage limitations. As high-level meta-data is insufficient, the current approach is to capture and store full packet-data for later analysis. A quick calculation shows that a 10GbE link will require about 110TB of storage for recording a single day of traffic.

While most security breaches take months to discover, the value of traditional solutions that entail full packet capture is clearly diminished. Security teams are often restricted to merely several days’ retention periods, considering the capacity of a typical enterprise infrastructure. To overcome this challenge and get access to the historical content required for proper investigations, organizations need to take a different approach and work with solutions that can increase forensics data retention periods from days to many months in order to reveal the full story before, during and after an attack.

The above considerations must be examined in order to mediate security incidents as quickly as possible. As we know, it is (nearly) impossible to prevent a breach altogether in this day and age. It’s how efficiently you understand and handle the event that matters. Don’t let your organization fall behind.


Tomer Saban is the co-founder and CEO of WireX. Tomer brings with him 15 years of experience in telecommunications and network security. Prior to founding WireX Systems, Tomer served as a team manager in the intelligence division at Nice Systems. Tomer is an alumnus of the 8200 Entrepreneurship Program and the Merage Institute for U.S. - Israel Innovation Leadership Program. Tomer holds a B.Sc. in Computer Science from the College of Management Institute in Israel.

IDS/IDP Network Access Control Network->General SCADA Enterprise Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.