As corporate data breaches increase in number and severity, access to the original malicious packet data is key to quickly understanding the source and depth of network security events. With its unique ability to store critical network traffic before, after, and around hundreds of alerts per day month after month, Vigil 2.0 is the only solution that enables network forensics in investigations of breaches that occurred far enough in the past that network traffic is no longer available with traditional solutions.
According to two recent Ponemon studies, malicious external attacks take on average up to 256 days to identify. In addition, once a cyber attack is discovered, on average it takes 46 days to fully resolve it, at an average cost of $21,155 per day. This makes historical packet data that is relevant to the attack highly valuable to security teams as they investigate the scope and origin of newly-discovered breaches. Storing a complete history of all packet information for a network, a prohibitively costly and inefficient endeavour, becomes unwieldy when used to conduct a forensic investigation.
"When incidents are discovered, the ability to quickly close the loop between the initial alert and the breach analysis is critical for businesses. Without the actual network packets on hand, and without the ability to quickly recall and filter those packets, investigations can take months or even a year," said Keatron Evans, principal at Blink Digital Security. "Savvius Vigil ensures that only the relevant information is being stored, which significantly increases the time the data remains available, and delivers filtering and search functionality that dramatically accelerates investigation time. There is an enormous cost benefit when businesses can quickly and confidently characterize all impacts from a breach."
Savvius Vigil 2.0 is the industry's first security appliance that can intelligently store more than 50 terabytes of packet-level information at speeds up to 3 Gbps. Vigil integrates with leading intrusion detection and intrusion prevention systems (IDS/IPS), including Lancope StealthWatch, Palo Alto Networks, HP ArcSight, Cisco Sourcefire, and Cyberoam, to capture packets associated with triggered security alerts or events. Vigil is unique in its ability to identify and store packet data five minutes prior to an incident and to continue until five minutes after. The data stored includes traffic to and from the nodes that triggered the alert. Having this data gives security investigators unparalleled visibility into key network activity that occurred in the leadup to a breach, allowing for more targeted analysis and faster mean-time-to-resolution. By discarding nonessential information, Vigil stores a smaller total amount of packet data, making long-term packet storage practical.
Typically, when security events are detected in a network, security teams are forced to rely heavily on log entries files and metadata for investigations. Threat actors routinely alter or tamper with such records. "Not only is the analysis of log information a slow and tedious process, but the integrity of the records is questionable," noted Evans. "If the attacker knows where the log data is stored, they can easily cover their tracks by manipulating the records. Vigil offers secure and reliable access to the packet-level information, which is almost impossible to modify, especially when data is being captured prior to the penetration."
New enhancements in Vigil 2.0 include expanded storage and search capability based on traffic characteristics such as IP address, port, protocol, application, and alert criteria. An option to selectively capture all network traffic before and after an event enhances immediate investigations. An intuitive interface streamlines searches and accommodates unique workflows. Vigil creates industry-standard pcap files for use with any network forensics software, including Savvius Omnipeek.