Savvius has announced that Savvius Vigil 2.0, its network monitoring security appliance, is now shipping. This new version of their appliance is able to store over 50 Terabytes of packet-level data which can then be used by security teams to identify and track a security breach.
By capturing data at the network level the security teams are able to track a breach by comparing traffic before, during and after an attack. This enables them to better understand how the attack was crafted, what it did, what machines, applications and services were compromised as well what data was taken. With this data they can improve their defence, prove the forensics of the attack in court and clean up any infected machines to prevent a recurrence.
According to Keatron Evans, principal at Blink Digital Security: “When incidents are discovered, the ability to quickly close the loop between the initial alert and the breach analysis is critical for businesses. Without the actual network packets on hand, and without the ability to quickly recall and filter those packets, investigations can take months or even a year.”
Savvius has built in integration with other security tools
The Savvius Vigil 2.0 also integrates with many of the leading security solutions on the market including:
- Arcsight ESM v6.0
- Cyberoam UTM v10.6
- Lancope Stealthwatch v6.6
- Palo Alto Pan OS v7.0
- IBM QRadar v7.2.5
- Snort v2.9.7
- Suricata v2.0.3
- Cisco Sourcefire v5.3
This means that it can be used as an adjunct to other security tools. For example, rather than capture all packets on the network it can be triggered by the execution of a rule in other tools. It also has its own rule-based options that can be configured to capture data under specific circumstances.
There are good reasons for using rules rather than indiscriminate packet capture. The most important one is the volume of data gathered. Evans believes that only storing relevant information: “…..significantly increases the time the data remains available, and delivers filtering and search functionality that dramatically accelerates investigation time. There is an enormous cost benefit when businesses can quickly and confidently characterize all impacts from a breach.”
However, waiting for a set condition means that it is easy to miss the early signs of an attack. They may miss, for example, the initial infection vector be that a phishing email, a drive-by infection or a malicious insider installing software across the enterprise network. This is where security teams will need to focus their efforts in effectively integrating the Savvius Vigil 2.0 into their processes.
One solution is for the security teams to regularly download the data and use big data analytics to see what is happening on the network. When used with visualisation tools this would also enable them to see connections between people, applications and machines. As network operations teams have long realised, visualisation can often throw up unexpected answers to other problems in the IT infrastructure.
Conclusion
With companies increasingly accepting that they are going to be breached, having the network traffic to see where, when and why it happened along with what was taken is critical. With the lack of digital skills among law enforcement there is also a need for enterprises to capture this data in a forensically acceptable way. That will help when a case come to court.
