Data Breach Analysis

Only a complete record of network traffic provides the data
needed to investigate breaches fully

Understanding and investigating data breaches

Analysis and forensic tools are used by SecOps and CERT/CSIRT teams to research security break-ins, identify compromised systems, establish the time frames of breach activity and understand the vulnerability that enabled the attack so it can be remediated.

In the event of a security breach occurring, knowing for certain what has been compromised and ascertaining that quickly is critical. Customers, regulators, shareholders and boards all demand to know what the impact of the breach is, and they demand to know quickly.

The process of reconstructing a security breach can take days or weeks because of the sheer complexity of accessing and correlating data from many different sources. Often that data is insufficiently detailed or is simply missing or incomplete, sometimes making a complete reconstruction of events impossible to achieve. This can leave organizations in the invidious position of not knowing whether the vulnerability that enabled the breach has been resolved, and being unable to ascertain exactly what confidential data may have been exposed.

As recent, highly-publicised data breaches have demonstrated, this can have catastrophic effects for the organization involved, leading to lawsuits, regulatory penalties, loss of customers and plummeting share prices. Not to mention the sheer cost involved in investigating the breach.

Sampled flow-based statistics, NPM/APM summaries, and SIEM managed log data may provide sufficient information to allow monitoring systems to display trends, flag anomalies, and generate alarms, but it often doesn't provide the detailed data necessary to establish the root cause of a breach or its impact.

A complete and accurate record of network traffic, on the other hand, provides a complete picture of activity that is difficult or impossible to glean from application or system log files and other sources. It allows analysts to establish precisely what's happened without resorting to theories and guesswork.

When a security incident occurs, detailed network packet data is needed to locate the problem to determine which sub-system has been compromised and perform root cause analysis to determine exactly what in that sub-system has been compromised and how the breach occured. Packet data also provides the irrefutable proof of what data has been compromised so analysts can ascertain the full impact of a breach quickly.

Only 100% accurate captured packet data provides the detail necessary to:

  • Find the problem
  • Understand the true level of exposure that the breach has caused
  • Assist in risk management
  • React appropriately
  • Fix the problem with a lower mean-time-to-resolution.

Endace products and Fusion Ecosystem partners can give you surety in the event of a data breach

EndaceProbe Network Recorders EndaceVision Endace Fusion Partners