FireEye Stories

A Video Surveillance System for the Network – The Top Five Benefits of Network Forensics

It is no surprise that most home alarms are purchased after a break-in has occurred. Unfortunately, most businesses apply the same decision-making process to their own networks. The majority of network security spend is placed on preventative measures, such as firewalls and secure web gateways, but the reality is that network breaches continue almost at will despite the billions spent on these devices.

Making matters worse, the average dwell time for an intruder is currently 78 days, meaning attackers are remaining on networks undetected for more than two months. Would you settle for having a burglar roaming undiscovered throughout your house for that time, eating your food and rummaging through your personal belongings? Of course not! For this reason, time is of the essence when it comes to spotting a break-in.

As with any break-in, having evidence is the key to understanding what happened, how the break-in occurred, what was stolen, and how to best remedy the situation to avoid future occurrences. This is why having a network forensics solution in place is so important.

Network forensics, analogous to an indoor home video recording system, allows the recording of all network traffic – good and bad – so that when a breach occurs, security teams can respond immediately. Having this packet traffic recording system in place helps reduce dwell time, helps reduce risk of loss, and minimizes damages.

While there are many benefits to having a network forensics solution in an environment, here is what we consider to be the top five:

  1. Eliminates network blind spots. Top on the list for a network forensics solution is the ability to quickly record all network traffic. This means having a solution that can record traffic at high speeds without losing data integrity. After all, you cannot stop what you cannot see.
  2. Provides instant knowledge. It's important to have a network forensics tool that can provide quick answers. Who broke in? What did they touch? What did they leave behind? What was stolen? What other systems were compromised? All of this and more needs to be answered in minutes, not hours or days. Remember, the faster a team can identify an intruder and what they did, the faster they can respond.
  3. Improves security. A network forensics solution should provide clear insights and findings as to how the breach occurred, where the attacker went, what systems and/or endpoints were compromised, and more. By leveraging this information, a security team can spot previously unseen weaknesses and shore up existing defenses.
  4. Improves response. With so many legal and regulatory issues relating to breach notification and loss of personal identifiable information (PII), having a network forensics solution in place gives further assurances as to what actually happened, what needs to be responded to, and the severity of a breach.
  5. Simplifies recovery. In order to claim losses for investigative or insurance purposes, businesses today may need to show actual damages and losses of due to cyber attacks. A solid network forensics solution can pinpoint actual data losses, further easing the need to show damages or loss of intellectual property.
  6. BONUS – Peace of mind. Six? Yes, this is outside our "Top Five" list, but it's worth noting that as with a home alarm system, part of why network forensics is a must have for organizations of any size comes from having the peace of mind knowing that the network, data, intellectual property, and other assets are covered should a cyber criminal break in.

The reality is, every business network is subject to attack and breach. Additionally, history shows that placing all efforts on preventative measures is not enough – it only takes one vulnerability; one open window to gain access and do damage. Knowing this and our top five benefits, it is clear that having a network forensics solution is a must. But as with a home alarm, the best time to purchase a network forensics solution is BEFORE the break-in occurs.