Here we go, again. The recent Petya ransomware attack caught the EU off-guard and created chaos that rippled through organizations wide and far. Luckily, it was not as severe as Wannacry, but it reinforces that companies are still not prepared to quickly identify and take the necessary response to get a suspected cyber-attack under control.
Why is that? Well, there are many factors but the big one comes down to the fact that there are just too many log alerts being received from firewalls, SIEMs or other security technologies – up to 5000 a day! Even organizations with large, highly trained security teams are struggling to keep up with the volume. Manually combing through the events to determine which are worth further investigation is not a viable solution in the face of broad wide scale attacks.
Petya impacted many organizations across many industries, but some of the most disturbing were the financial institutions in Russia and the Ukraine. Given the nature of critical financial and client data held by such an organization it would make sense that any breach will necessitate the execution of an incident response strategy, beginning with incident investigation. This must be done to meet compliance requirements with any data privacy regulations. If GDPR was in effect (May 2018) organizations with impacted databases that include EU citizen data would be required, within 72 hours, to report not only the breach to authorities, but exactly what records were exposed, and why current processes in place did not protect these records, all to be followed up by a go-forward-plan as to mitigate such expose in the future. That’s a pretty tall order given the effort involved.
Clearly, there needs to be a better way to perform and conclude a more effective and timely incident investigation. An automated investigative response solution may provide the edge today’s InfoSec teams need.
Now imagine if the security teams had been provided a real-time alert that suspected malicious activity was successfully impacting their most critical assets. And, what if that alert triggered an automatic extraction of the detailed data conversations related to that alert. This would allow the security teams the ability to begin a very focused prioritized incident investigation right away.
What is automated investigative response?
Simply stated, it is leveraging a log alert, generated from firewall, IDS/IPS, etc., that has identified suspicious activity against specified critical assets, and use the provided metadata to automatically trigger an extraction file of the data conversations pertinent to that alert if – and only if the critical assets’ data was impacted.
CSPi’s Myricom nVoy Series solution was designed for exactly this purpose. By inserting our nVoy 10Gbit packet recorder into any network, above the identified critical assets, it will ingest all network traffic and in real-time capture, filter, record, as well as index all the data for quick retrieval into extract files. The recording process is continuous, 365×7, thus providing the detailed data needed to perform forensic analysis. Having these recordings available for on-demand access allows the ability to create extract files around particular data conversations that “go back in time” to truly understand the full scope of the incident in order to determine what data was accessed, when the breach began, when it ended, and what other assets may have been impacted. This alone provides security teams with a powerful solution to make their incident response much more focused and thus more effective.
CSPi has taken it one step further by automating two critical elements of the incident investigation process –
- match an intrusion alert to an actual data breach and
- extract the conversations related with that breach.
When our nVoy Automated Investigative Response (AIR) application is paired with the nVoy recorder it assesses all alerts issued by a firewall or IDS/IPS to determine if any are against a user specified list of critical assets (devices, applications or combination). If so, then the application triggers the nVoy recorder to automatically generate an extract file of all the data associated with that alert. By automating these two pieces – the alert identification and extraction of conversations – it eliminates manual intervention and thus drastically reduces the risk of missing an alert, puts resources to better use and most importantly saves crucial time during the incident investigation.
To learn more about our Myricom nVoy Series solutions and how they can improve cyber breach investigative response process visit: cspi.com/nvoy-air