– With tough financial penalties on data breached businesses, firm believes Network Forensics are the Crown Jewel of the “Cyber Kill Chain” for when, not if, an attack occurs –

 Corvil is highlighting that network forensics intelligence – especially user-centric intelligence – is a critical cyber defence weapon for remediating issues before they escalate and avoiding future attacks.

In today’s sophisticated and evolving cyber threat landscape, research^[1] shows the odds are stacked against businesses with a staggering one in four chance of having a breach.  Increasingly hacker-controlled machines inside the perimeter are accounting for the overwhelming majority of attacks^[2].  Attackers are not only infiltrating the corporate network, according to new Verizon research^[3], as much as 68 percent remain undiscovered for months.

Even when overburdened security teams detect suspicious behaviour, the investigation process is arduous and often inconclusive.  Security teams often lack the context and data dimensions to identify the source systems and accounts used in the account, the data read or exfiltrated, and the additional footholds left behind.   Further, with the increase in data privacy regulations and requirements for prompt breach notification, Security teams are under added pressure to provider greater oversight, controls and to shorten investigation and impact determination timeframes.

Traditionally, digital forensics is enlisted after an incident, such as Facebook’s recent appointment of cybersecurity firm Stroz Friedberg to investigate the Cambridge Analytica data breach storm which has wiped almost $37 billion^[4] off its market value. It is at this stage that many organisations discover their available data sources are shallow, fragmented and incapable of providing timely answers to queries.  However, in this climate of increasing regulation, while likelihood of an attack is high, certainty of engagement by internal auditors or regulators is absolute. This requires Security teams to assume a posture of having answers for questions that have not yet been asked about behaviours of users, devices, and applications.

Corvil, believes deep network forensics, incorporating user, host, and communication payload analysis is a critical step for gaining transparency into the “Black Box” of what is happening across a network or of an attack.   Continuously monitoring, gathering and examining “evidence” to utilise as a remediation tool can significantly bolster security teams’ incident response preparedness and ability to respond to internal and external compliance teams.

“When reputation, and sometimes existence, are at stake, the speed with which an organisation can recognise, analyse, and respond to an incident will limit the damage and ultimately lower the cost of recovery,” says David Murray, Corvil Chief Marketing and Business Development Officer. “Insights derived from granular visibility enable security teams to rapidly investigate, isolate and identify remediations for vulnerabilities to reduce the impact of an incident and prevent future incidents. By accelerating investigation and response times, firms gain an enormous advantage over attackers.”

The stakes are high for breached businesses as illustrated by Health insurer Anthem Inc. who settled a record $115 million lawsuits for a breach that affected 78.8 million people. Corvil believes with incoming EU General Data Protection Regulation (GDPR), that stipulates breach fines of up to four percent of global annual turnover and a seventy-two hour breach notification rules, firms need to radically rethink security priorities.

“Unfortunately, breaches are an inevitable consequence of digital business.  Network forensics that correlates user, host, and application activity is a critical capability to enable effective hunting of cybercriminals within an environment. Remediation technology and integration with the wider cyber-protection ecosystem is equally as important in planning and implementing an effective risk, compliance, and cybersecurity fabric,” concludes Murray.

Corvil recently launched user-centric network traffic analysis for accelerated insider threat detection and response. The solution automatically provides security analysts with a unified view of user identity, host and network activity in one system.