New tests, performed in 2016, on stored samples resulted in the International Olympic Committee stripping more than a dozen athletes of medals they won in the 2008 and 2012 Olympic Games. While it was difficult to stop these athletes from competing, decoding the masking technology employed at that time ultimately resulted in successful convictions based on the illegal substances used by these athletes.

Network traffic is the equivalent of those samples for organizations that want to learn from past cyber attacks and prevent future ones. The network is the source of truth and a modern approach to network security analytics could surface the vast majority of cyber attacks, including multi-staged advanced attacks that are undetectable by current point product defenses. Creative approaches can also deliver visibility about threat activity across all network segments that constitute the modern day network: on-premise, public and private cloud, and industrial environments.

Unfortunately, organizations are neither retaining network traffic or not retaining it with the intent to analyze the traffic for security value (aka security analytics). Unrewarding experiences with legacy security analytics products are to blame. They are difficult to deploy, configure and support, and a median breach detection window of 146 days makes it prohibitively expensive to retain PCAP data for long enough to be valuable. Most of these products can’t adapt to constantly changing attack techniques, generating excessive false alarms and making security analysts’ jobs tougher.

Fortunately, there is good news for organizations that need network forensics. A modern approach to security analytics will solve the problem of limited or no visibility into past attacks. Fundamental to this approach is the Cloud which provides unconstrained processing power that supports the following:

Advanced analysis techniques such as machine learning, where models have been trained on billions of attributes, and correlation of multiple IOCs like intrusion detection signatures, reputation and human intelligence with customer specific event modeling, threat intel and heuristics. Effective real-time detection of “unknown attacks” - i.e., cybercriminals using not-yet-identified attack techniques - becomes possible.

Rapid search and advanced visualization tools to help threat hunters, the main consumers of security analytics, avoid the pointlessness of blindly looking through data.

The Cloud also makes it easy to collect network traffic from any segment of the modern day network and provides a potentially unlimited retention window without introducing high costs or unwieldy infrastructure. When advanced analysis techniques are applied to this unlimited historical record, a process called “retrospective analysis”, organizations realize tremendous benefits.

Automated Detection of Past Attacks

When new information about performance-enhancing supplements becomes available, the International Olympic Committee can go back to their stored samples to check for past violations. In a similar vein, as new threat intel about how criminals are exploiting vulnerabilities becomes available, retrospective analysis automatically replays historical PCAP data to discover threats that were previously missed and generate security events, if necessary. If set up as a continuous process, retrospective analysis reduces adversary dwell time as it reliably detects the attack in the early stages of The Cyber Kill Chain. Automated detection where results are easily verifiable via supporting forensic evidence is a boon for short staffed security teams. Additionally, the unlimited retention window means that if no trace of a zero-day attack is found, analysts can confidently let company execs know that the organization was not impacted. Which exec wouldn’t want this? Legacy security analytics products cannot provide this confidence.

More Effective Threat Hunting

Threat hunting is an analyst-driven process, meant to find issues that aren’t identifiable via automated attack detection mechanisms. Instead of waiting to respond to a security event or new threat intel, hunters are actively searching to mitigate or prevent damage from threats. But these skilled analysts will be stymied if there is a lack of data —which is why easy access to unlimited forensic evidence made possible via a modern approach to security analytics is a huge leap forward for them.

But a modern approach presents another way for threat hunters to raise their game. Data must be enriched with helpful contextual information, as threat hunters need to pivot from individual pieces of data into links and correlations that ultimately reveal the threat. Advanced analysis techniques provide that enrichment, correlating vast troves of data; applying machine learning on historical data to derive interesting tidbits that help inform other analysis; and distilling useful knowledge via analysis of potentially competing sources of information.

A wealth of information — data enriched with results of analytics and easy access to full fidelity PCAP data — that is available as far back in time as needed enables superior threat hunting. And when you consider that a modern approach maximizes data collection, capturing network traffic from any network segment — on-premise, public and private cloud, and Industrial Control System (ICS) networks — threat hunting teams can suddenly provide organizations with visibility that’s far beyond what legacy products can.

According to a December 2016 Security Analytics survey report, 30% of respondents couldn’t tell if their organization had been breached. That number would be much higher if the respondents were being honest with themselves. Organizations haven’t been retaining the evidence (i.e., the PCAP data) for the length of time necessary to irrefutably prove that a breach didn’t happen. Fortunately they now have options to do so with a modern approach to security analytics that provides automatic detection of past attacks and enables far superior threat hunting.