LiveAction and Cisco: Network Forensics for Security Breach
Enabling Network Forensics in Security Breach Investigations
LiveAction Vigil integrates with Cisco FirePower NGIPS to store the entire “packet environment” of hundreds, even thousands, of security alerts every day, more than the largest incident response team could investigate.
Enterprises, under constant attack, deploy highly effective systems to detect and prevent security threats. However, not even the most comprehensive and sophisticated security system can prevent all attacks from making it through. When a security incident occurs, investigation into the breach must be timely and comprehensive so you can rapidly understand, contain, and remediate the current issue, and better prevent future ones.
Investigations without access to the original network packets that carried the intrusion are invariably less effective. Network packets carry malware as binaries that, once assembled on an enterprise’s server, cover their tracks — altering logs, changing resources, and modifying their identity — as the first order of business.
The challenge enterprises face is that attacks often remain undetected for weeks or months. This lets attacks inflict the most damage while at the same time altering logs and taking other steps to disguise themselves. This means that access to the original intrusion’s network packets is vital. Yet the sheer volume of network traffic means that network packets are usually only available for a brief time.
Solution Overview
LiveAction Vigil™, a high-performance security appliance, enhances the effectiveness of security breach investigations by storing months of relevant network traffic. One of the techniques LiveAction Vigil uses to define “relevant network traffic” is to capture and store network packets around security alerts from prevention and detection systems.
Cisco FirePower® is a Next Generation Intrusion Prevention System which sets a new standard for advanced threat protection. It integrates real-time contextual awareness, full-stack visibility, and intelligent security automation for industry-leading security effectiveness.
LiveAction Vigil integrates with Cisco FirePower NGIPS to store the entire “packet environment” of hundreds, even thousands, of security alerts every day, more than the largest incident response team could investigate.
Investigators can use LiveAction Omnipeek™, included with LiveAction Vigil, to view and investigate the original attack.
Making network packet data available to security breach investigations requires preparation, and that’s where LiveAction Vigil comes in.
How it works
LiveAction Vigil analyzes all incoming network traffic against alerts from Cisco FirePower NGIPS. Vigil stores all relevant network packets from five minutes before the alert to five minutes after (or a different time range the user defines), as well as conversations with the IP addresses that triggered the alert. The network security team can use these network packets for immediate investigations, and they are stored for later use.
LiveAction Vigil includes powerful search capabilities for zeroing in on the packets associated with specific alerts. Once security analysts have identified packets of interest, they can export them into a standard pcap format. Omnipeek forensics software, included with LiveAction Vigil, is a superior solution for investigating packets in detail, including examining packet payloads and details of network conversations.
Enabling Network Forensics in Security Breach Investigations
LiveAction and Cisco: Network Forensics for Security Breach
Enabling Network Forensics in Security Breach Investigations
Security Breach investigations can only go so far without access to the original data packets. Packets carry malware infection as binaries, but once reassembled on the server, they can cover their tracks and alter logs to remain undetected. Not only that, but the high volume of network traffic makes these suspect packets only available for a brief time.
Live Action Omnipeak stores any packets 5 minutes before and after alerts for optimal attack investigation evidence.
Get visibility into:
- packet payloads
- encrypted traffic
- network conversation details
Omnipeek provides powerful packet capture and analytics, to give unparalleled visibility to the network traffic and its history when it’s needed most. See it in action with a live demo.