Enabling Network Forensics in Security Breach Investigations

LiveAction Vigil integrates with Cisco FirePower NGIPS to store the entire “packet environment” of hundreds, even thousands, of security alerts every day, more than the largest incident response team could investigate.

Enterprises, under constant attack, deploy highly effective systems to detect and prevent security threats. However, not even the most comprehensive and sophisticated security system can prevent all attacks from making it through. When a security incident occurs, investigation into the breach must be timely and comprehensive so you can rapidly understand, contain, and remediate the current issue, and better prevent future ones.

Investigations without access to the original network packets that carried the intrusion are invariably less effective. Network packets carry malware as binaries that, once assembled on an enterprise’s server, cover their tracks — altering logs, changing resources, and modifying their identity — as the first order of business.

The challenge enterprises face is that attacks often remain undetected for weeks or months. This lets attacks inflict the most damage while at the same time altering logs and taking other steps to disguise themselves. This means that access to the original intrusion’s network packets is vital. Yet the sheer volume of network traffic means that network packets are usually only available for a brief time.

Solution Overview

LiveAction Vigil™, a high-performance security appliance, enhances the effectiveness of security breach investigations by storing months of relevant network traffic. One of the techniques LiveAction Vigil uses to define “relevant network traffic” is to capture and store network packets around security alerts from prevention and detection systems.

Cisco FirePower® is a Next Generation Intrusion Prevention System which sets a new standard for advanced threat protection. It integrates real-time contextual awareness, full-stack visibility, and intelligent security automation for industry-leading security effectiveness.

LiveAction Vigil integrates with Cisco FirePower NGIPS to store the entire “packet environment” of hundreds, even thousands, of security alerts every day, more than the largest incident response team could investigate.

Investigators can use LiveAction Omnipeek™, included with LiveAction Vigil, to view and investigate the original attack.

Making network packet data available to security breach investigations requires preparation, and that’s where LiveAction Vigil comes in.

How it works

LiveAction Vigil analyzes all incoming network traffic against alerts from Cisco FirePower NGIPS. Vigil stores all relevant network packets from five minutes before the alert to five minutes after (or a different time range the user defines), as well as conversations with the IP addresses that triggered the alert. The network security team can use these network packets for immediate investigations, and they are stored for later use.

LiveAction Vigil includes powerful search capabilities for zeroing in on the packets associated with specific alerts. Once security analysts have identified packets of interest, they can export them into a standard pcap format. Omnipeek forensics software, included with LiveAction Vigil, is a superior solution for investigating packets in detail, including examining packet payloads and details of network conversations.