pointer

Finding Evidence of a Security Attack

Data security is a race between attackers and defenders. Attackers win when they can commit their crimes—stealing data, encrypting files, or performing some other destructive act—before being detected and stopped. Defenders win when they detect an attack and stop it before any harm is done.

Unfortunately, these days, the attackers seem to have time on their side. The typical security attack lingers undetected on an enterprise network for an average of 229 days, according to researchers. That’s over 7 months of free time for stealing data and committing some other act of cyber crime.

Why does it take so long to detect security attacks? One reason is that today’s attacks are increasingly subtle and sophisticated. But another reason is that, once an attack slips past network defenses and hides on the network for even a few days, the amount of hard evidence that security analysts have access to falls off dramatically.

In the first two days, security analysts are likely to have access to network forensics data with stored packets containing the attack itself. After two days, the evidence shrinks to mostly derivative data—some log files here, some metadata there. These can sometimes provide indirect clues about what really took place, but it’s far less useful than being able to explore the actual traffic containing the attack itself.

We created Savvius Vigil, our state-of-the-art security forensics solution, precisely to address this problem. Savvius Vigil builds on security tools that enterprises have in place, such as SIEM systems and their IDS/IPS capabilities.

When a SIEM system raises an alert about suspicious traffic, Savvius Vigil stores the network traffic immediately preceding and following the event for forensic review. It integrates events from multiple sources, including network conversations with specified IP addresses. Traffic between relevant nodes is captured before and after the triggered events. Optionally, all related traffic to and from an event’s IP addresses is captured as well.

Savvius Vigil saves only traffic that has been deemed suspicious; all other traffic is eventually discarded. What’s left is a repository of suspicious events—packet-level-details and all—that security analysts can examine once they suspect that an alert is genuine and not a false positive.

Now, thanks to Savvius Vigil, security professionals investigating a security attack that is days, weeks, or even months old can take advantage of packet-level network traffic in their investigation—something previously unachievable.

“By automatically storing the appropriate network packets, Savvius Vigil enhances the ability of security analysts to quickly understand and respond to newly discovered threats,” says Keatron Evans, principal analyst at Blink Digital Security. “It allows us to go from notification of breach to completed analysis much faster.”

In the race between attackers and defenders, defenders just gained a powerful tool for speeding up the clock in their favor.

For more information about Savvius Vigil, check out the press release or the Product Datasheet. Or contact us.

Network Packets Matter to Security Professionals

Imagine that you investigate car accidents. When you arrive at a scene, you see the smashed cars, skid marks, bent post, and whatever else, and quickly determine that one car came into the path of the other one. This paint on the fender matches that dent in the other car, for example, and even the angles where the car ended up tell a story.

Now imagine that the insurance company asks you to investigate an accident that happened last month. You can still go to the scene, but this time, all you see are some skid marks, a still bent post, and a few other things. But no cars. Perhaps you can still figure out what happened, but it isn’t easy.

Being an accident investigator without being able to see the cars is the situation that security incident investigators find themselves in when they are investigating a breach and can’t see the packets that were the vehicle for the attack.

The problem is that most attacks aren’t discovered for months, and by that time, the packets are gone. It just isn’t practical to store weeks and months of network traffic; a network averaging only 3 Gbps requires 7.5 petabytes of storage in 229 (the median time between breach and discovery according to a recent study.) And since it is the median time, even with 7.5 petabytes, you’re missing half the security events. So let’s double it to be safe. And assume we’re buying relatively inexpensive storage. That is still over $5 million!

The answer is intelligently determining what to store, but that’s the subject of another blog post. Stay tuned!

Introducing Savvius

As many of you know, WildPackets has a long history as a leading provider of network monitoring and forensics solutions to enterprises, SMBs, and government agencies. In a crowded market of network IT vendors, we’re pleased to say we’ve developed a strong reputation for making exceptional network analysis software and packet storage appliances.

We’re proud of what we’ve achieved. Most of all, we’re pleased to have been able to help so many different organizations and IT professionals make the most of their networks and network-dependent technologies. Our customers are driven, tech-savvy, and creative, and we’re pleased to have contributed, through our network analysis solutions, to their success.

Now—as we all know—the world is changing: faster networks, new devices, more devices, new apps.

To continue to serve our customers, we recognized that we, too, had to keep changing. We realized that it’s time to build on our legacy and create something new. Specifically, we realized it’s time to apply our expertise in network analysis to important problems faced by organizations of all sizes, and to develop new, best-in-class solutions that enable our customers to do more with their (faster, more hyperconnected) networks than they’ve ever done before.

So today we’re making several announcements. We’re announcing a new focus for our company, and we’re announcing an exciting new product that’s unlike anything else available in network IT today.

But let’s start with our new name, which provides the most concise summary possible of our new vision and our new direction.

We’re excited to announce today that we are changing our name to Savvius. Savvius derives from “savvy” or “full of insight.” This name better reflects our company’s full line of products and mission for the future.

And here’s an example of the type of insight we’re talking about.

Over the past several years, we have seen an increase in organizations using our network investigation components to enhance security forensics. We’ve been helping organizations store hours, days, and even a few weeks of network data for analyzing security anomalies that have occurred on the network. All too often, these anomalies turn out to be indications of a security attack, such as a data breach.

Despite the impressive evolution of IT defenses, security attacks are still getting through, and in many cases, they’re lingering on the network longer than a few weeks before being discovered. They’re lingering for months. About 7 and a half months on average: 229 days

Which is why today we are also announcing the introduction of Savvius Vigil™, the industry’s first security appliance that provides weeks or even months’ worth of relevant network packet data following a security incident.

Unique in the market, Savvius Vigil stores packet data correlated with security events detected by your existing SIEM solutions. Savvius Vigil stores that data for months or longer in a searchable repository. When security professionals want to investigate anomalies that have occurred days, weeks, or even months ago, now they can, with Savvius Vigil.

Savvius Vigil gives IT security professionals the hard evidence they’ve been missing when investigating security breaches. You can learn more about Savvius Vigil here.

Moving forward, our company’s focus will be on empowering network and security professionals with the best packet-based analysis products, capabilities and solutions on the market.

We’ve taken a huge step in that direction with today’s announcement, and we hope that you follow along with us as we continue to innovate and provide the most comprehensive view of your network.

For more information, check out today’s announcement, take a look around our website or get in touch!