Time and space are two of the costliest resources for any organization. That explains why few can or will invest in what’s needed to capture and retain the billions of bytes of data that travel across their networks every minute.
Were it not for these limitations, threat hunters could summon the ultimate witness, one that never lies, and one that never lets them down: a perfect and infinite memory of the network. Having that depth of knowledge could give in-house threat hunters a serious advantage, like knowing for sure if and when adversaries had ever penetrated their perimeter or pilfered sensitive data.
Of course, threat hunters can use other techniques like log analysis, but that assumes the information in log files is useful in the first place. Many times, logging levels aren’t configured to provide much value and logs fundamentally provide limited context at best.
So logs might tell you if something happened (“Hey, an email was sent!”), but not much else (“And it was filled with trade secrets!”). Regardless, a sophisticated hacker could use malware to erase or modify logs anyway, obfuscating any trace of what’s been done.
A perfect memory of the network, on the other hand, cannot be modified and unlocks the potential for new threat hunting techniques, like the unique ability to review details of any point in time so they can unravel even the most convoluted tales.
According to a 2017 survey by Crowd Research, many data breaches still have an average dwell time of 5 months. But with a total and perfect recall of the network going as far back as you need, zero-days could be remediated almost instantly.
As soon as news of a zero-day breaks, analysts could use the perfect memory to identify any prior exploits, buying security teams the critical time they need to mitigate risk. And, if no trace is found, they could let executive teams know with confidence that the organization - and its stakeholders - hadn’t been impacted.
How many security teams would love to have confidence in a statement like that?
Build a Rich Body of Forensic Evidence
But zero-days aren’t known until they’re known, though, and threat hunters are detectives at heart. So when experience and intuition give way to suspicion, a perfect memory of the network could give threat hunters a tremendous body of evidence upon which to run complex queries to test their hypotheses. Without the richness of an infinite set of high-fidelity network data, or if limited by a short duration of time, they and security analysts are left blind.
Validate Your Custom Threat Intel
Many enterprises curate their own threat intel from sources internal and external, public and private. Some have their own custom intel. How do you know if the quality of these feeds is worth your time, or your money? A perfect memory of your network gives you a comprehensive body of data you can use to validate and measure the accuracy and efficacy of your threat intel.
Refine Machine Learning Detection Continuously
Some security products tout their ability to use machine learning and artificial intelligence to detect threats. That’s all well and good, but no two organizations are alike. And internally, different groups like marketing staff, executives, and engineers don't all behave the same way either; they use different software and visit different websites.
Unsupervised machine learning can group user activities based on historical behavior patterns, which produces better baselines for what your organization might consider “normal” activity. As more network data is collected, analyzed, and classified, these models retrain themselves continuously and automatically.
When applied to a perfect memory of your network, those baselines can be used to detect variations in past behaviors that might have seemed normal when they were first seen, but which maybe aren't so normal today.
Make Your Network Memorable
A perfect memory of your network gives analysts and threat hunters more and higher-quality data, but it also requires a ton of storage. The impracticality and cost-prohibitive nature of traditional packet capture (PCAP) used to mean organizations had to choose between spending more or storing less.
That makes the cloud the perfect place to keep a perfect memory of your network. It’s elastic, affordable and offers unprecedented agility. It’s also why CISOs face growing pressure of cost-saving corporate mandates to move operations to the cloud today, not tomorrow.
Get ahead of this trend now by investing in security built specifically for the cloud by being built in the cloud. With a secure, all-cloud environment, time and space are two fewer worries that you can go ahead and forget.