Market Brief

Accelerate Incident Response

Download Market Brief

Many network systems and applications generate logs, which internal policies or industry and government regulations prescribe must be collected, reviewed and stored. Depending on the size of the network, number of servers and applications, this can generate millions of logs per second. Some network devices generate upwards of 180 different logs each, some of which do not relate to security. Well-defined protocols, such as syslog and SNMP, transport this important data to a repository for review or archive it for the future. Administrators can then reference logs for troubleshooting, forensic investigation, compliance audits and incident response. Recently Payment Card Industry (PCI) mandated comprehensive log collection, confirming that disabling the generation of certain types of logs will result in non-compliance. Logs, in their raw form are redundant and each vendor log is unique. Transforming logs into events requires a variety of tools that parse and then normalize the logs, making them easier to understand. Once logs are transformed through parsing and normalization, it takes less time for review and expedites access to the most important logs.

The amount of time to deal with a worm outbreak is substantially shorter. It’s a great tool for helping us get the word out. If we didn’t have StealthWatch, I’m not sure that we could clean off the worm entirely, maybe a month? Now, in most cases, it takes less than a day to mitigate a worm issue. Without StealthWatch, I’m confident that we’d still be fighting with the worm that first appeared on our network several weeks ago.

(Media Company)

Problem

Though enabling log acquisition, storage and review is a PCI mandate, log acquisition alone does not translate into sustained and comprehensive log analysis. The fact remains, deriving value from terabytes of stored logs remains difficult.

“Only 28% stated that log collection and analysis tools were helpful for correlating, analyzing and responding to threats.” 1

“Even at rates of five to 10 events per second – which are quite low by enterprise standards – you’re looking at numbers exceeding 400,000 events per day, a load that will crush even the most battle hardened of security geeks.” 2

In fact, recently released data in the Verizon business review is very telling:

  • Only 4% of breaches were discovered by event monitoring or log analysis
  • 87% of breaches could have been prevented by reasonable measures any company should have been capable of implement or performing
  • Logging everything creates sufficient work for several analysts daily

“In 82% of the breaches in the study, the evidence was manifested in their logs, or for some reason (were frustrated, tired, overwhelmed by the logs, found them to be not-interesting, felt they were too noisy after a few days or weeks) [the operators] simply quit looking . . .” 3

Companies are left wondering, “Isn’t there a more efficient and strategic way of tapping the value contained within log data? How can I quickly narrow my team’s focus to hone in on the most relevant log data for the most important problems at hand?”

A Quick Clue

Organizations require a solution that provides a ‘quick clue’ as to what’s happening on their network and where. This “quick clue” would identify specifically where the problem exists. Once identified, it is then that the appropriate log data can be best utilized to effectively resolve network incidents. Furthermore, by enabling more focused problem solving, more problems can be resolved, reducing overall network risk.

Lancope’s StealthWatch® System provides the quick clue, the focus to accelerate response. As prescribed by Gartner, Network Behavior Analysis (NBA) systems are effective at providing a “quick clue to help an organization catch an infection early and limit the impact.” Notably NBA systems are not intended to supplant security events or log management tools, but rather are intended to complement them by launching an investigation into the network events and incidents most likely to impact network service and availability.

accelerate incident response

StealthWatch monitors network traffic providing such statistics as interface utilization, top talkers, traffic composition, historical trends and so on making it an ideal solution for promoting network health and optimizing the end user experience.