According to the 2014 Verizon Data Breach Investigations Report (DBIR), as well as the Mandiant M-Trends 2014 Threat Report, intrusions remain on networks for many months before they are detected. Further, organizations do not discover the breaches themselves, but rather, are notified by third parties a majority of the time. These two facts bring with them an unfortunate reality -- when it comes time to do incident response, the data required for incident response is often not available to the incident response team.
There are several common reasons why the required data may not be available:
The collection and visibility issues can be addressed through improving instrumentation of the network for collection. But what about the retention issues? Collecting fewer data sources of higher value to security operations can help, as I discussed in my “Data Value vs. Data Volume” post (http://ananalyticalapproach.blogspot.com/2014/04/data-value-vs-data-volume.html). Ultimately, even with optimization of data collection, a large network will generate a large volume of data. Given the amount of time breaches remain present before detection, and the key role network traffic data plays in investigating a breach, organizations are retaining network traffic data for increasingly longer periods. It’s probably a good idea to retain 6-12 months of meta-data (or more) if possible. Granted, this involves budgeting resources to accomplish this. Given the financial damage recent breaches have inflicted, if done properly and optimally, increased retention seems like a good investment.
There are several common reasons why the required data may not be available:
- Collection: In some cases, organizations may not have their network properly instrumented for collection. In other cases, organizations may not be properly equipped to retain and expose for analysis the volume of data created by the network instrumentation. Either way, when it comes time to investigate, the relevant data will not be available.
- Visibility: Some organizations may have portions of their network instrumented for collection. But what if the breach occurs in an area of the network that is not included in the area of visibility? In those cases, data that is relevant to the breach investigation will not be available.
- Retention: Sometimes, the network is properly instrumented in the appropriate places, but there is simply nowhere to put the volume of data that is generated. As the volume of data grows, either the retention period shrinks, or the storage capacity grows to compensate. It is not uncommon for the retention period to get down to one month or even less, making incident response for breaches with long-term presence extremely difficult.
The collection and visibility issues can be addressed through improving instrumentation of the network for collection. But what about the retention issues? Collecting fewer data sources of higher value to security operations can help, as I discussed in my “Data Value vs. Data Volume” post (http://ananalyticalapproach.blogspot.com/2014/04/data-value-vs-data-volume.html). Ultimately, even with optimization of data collection, a large network will generate a large volume of data. Given the amount of time breaches remain present before detection, and the key role network traffic data plays in investigating a breach, organizations are retaining network traffic data for increasingly longer periods. It’s probably a good idea to retain 6-12 months of meta-data (or more) if possible. Granted, this involves budgeting resources to accomplish this. Given the financial damage recent breaches have inflicted, if done properly and optimally, increased retention seems like a good investment.