Earlier this month yet another major corporation reported that hackers managed to breach their firewall and steal information on millions of customers. This time it was JPMorgan Chase and luckily the breach was discovered quickly with no confidential information taken.
“Security vendors and practitioners need to develop better products and processes that automate ongoing analytical tasks, similar to the actions taken by JPMorgan Chase’s security analysts,” wrote WIRED magazine in a story covering the breach. “Products need to more accurately identify known breaches and eliminate the huge volume of noise produced by traditional security defense infrastructure.”
While the “noise” of traditional security defenses may be on the rise, at times in the form of alerts that include false positives indicating intrusions or malicious code, detecting a hacker’s digital footprints once a breach has been discovered involves scanning all packets that made it past the data center firewall and anything deposited into back-end storage systems.
For this reason, a good storage strategy is key when it comes to cybersecurity forensics post intrusion detection. Packet-capture and recording software should have policies that trigger the allocation of scale-out storage pools on demand whether they are on premises on or in the cloud.
WildPackets estimates that capturing all traffic across a fully utilized 1G network or 10G network utilized at 1Gbps would produce 11TB of data per day and a 10x increase on a fully utilized 10G network would produce 110TB per day.
An enterprise with a dedicated 100TB storage appliance would enable an investigator to go back in time almost 24 hours on a fully utilized 10G network but if the breach occurred during the past week or even month, the storage requirements can become quite large and outstrip allocated storage resources depending on what security compliance policies the enterprise may have in place.
The ability to investigate captured network traffic 24/7 that goes far back in time with policies that purge data at set intervals such as 30, 60 or 90 days must take into consideration a scale-out Software Defined Storage strategy and architecture.
Cybersecurity forensic examiners also need to be be notified when data recording to a dedicated storage pool starts or stops in response to a known breach or malicious code that has made it past a data center firewall.
QuantaStor has script call-outs that can be used to extend the functionality of OSNEXUS SDS appliances for integration with custom applications including packet capture software and network monitoring appliances.
In our next post on the topic of Cybersecurity Forensics and Software Defined Storage we’ll outline best practices for continuous data capture in the event of a security breach.