Incident Response Solution

The nature of cyber threats and incident response can drive security teams crazy. Just as a cool breeze can become a violent storm in minutes, "normal" traffic can secretly be reaching out to a C&C server in preparation for a DoS attack. We want to believe we're prepared, but are we really? Some IT and network teams claim to be safe; this confidence, however, often reveals their naïveté. Wielding an umbrella and some galoshes can protect you from the rain, but what if lightning strikes?

The Incident

The cyber attack strategy landscape is ever-changing and as a result it is virtually impossible to plan for the next breed of zero-day attack. There will always be an impending incident whether internal or external ranging from:

  • APTs   
  • DDoS
  • Data Exfiltration
  • Security Breaches                                                               

The list goes on—it almost makes my heartbleed...

Complicating it further, our network environments have evolved exponentially.  We don’t just deal with computer workstations anymore; today we also contend with VPN services, BYOD, and BYOC (don’t want these clouds causing a storm, now do we?)
When someone contacts the security team regarding a possible incident, the incident response solution is the first stop. It helps ascertain how dire the incident is—in other words, the security team needs to determine:

  • Frequency
  • Scale
  • Severity
  • Recovery time (and upper management is sure to ask)

What technologies exist that allow IT to follow up on an incident without suffering the same global visibility issues that packet capture has?

The Response

Whether the company’s incident response personnel consists of a lone IT greenhorn or a fully assembled Computer Security Incident Response Team (CSIRT), the Mean Time To Know (MTTK) is a sensitive topic. Because cyber attacks and electronic theft can easily lead to lost income or customers, legal troubles, and expensive fines, we need data that empowers us to make an informed decision on a course of action. Hundreds of thousands of companies are turning to flow data (e.g. NetFlow and IPFIX), which can be collected from existing routers and switches.

Using flow data, an incident response solution can provide 100% data retention of all network communications for years and provide the granular details surrounding the issue. 
Filtering and drilling down to the exact minute, even if the event occurred several months ago, is a great start when initially investigating the problem. It is often one of the first steps toward resolution.  NetFlow and IPFIX allow you to see exactly what communications took place.


Whether your business is a small office shop or a major enterprise, NetFlow and IPFIX can be used to troubleshoot and report on application pain points as well. An incident response solution should include global flow collection capabilities and scale to meet the increasing network dependency needs of your business.

Critical Flow Collection Capabilities

  • A flexible back end: Make sure the incident response system can accept any type of flow: J-Flow, NetStream, AppFlow, sFlow, IPFIX etc.
  • Accepts unique tuples:  In other words, make sure the system can report on any type of flow data even if it doesn’t include an IP address, a port, or interface numbers.
  • 100% data retention for over 10 years and the ability to recall any of it within seconds.
  • Flow Analytics: Strive to be proactive. Flow Analytics baselines the data, watches for abnormal behaviors, and increases indexes, which can lead to alarms. 
  • Advanced Reporting: It needs to be able to report on 100% of exports from all vendors such as Cisco, Palo Alto, SonicWall, Citrix, Exinda, Juniper, VMWare, etc.
  • Distributed Architecture: You might have just one shop now, but if you don’t plan to expand in the future, why are you in business? Distributed collection with reporting in a single interface is a must for large enterprises that can’t afford to send flow data over the WAN.
  • Support for the collection of millions of flows per second. Beware the vendor who sells based on flows per minute.

Even with all these proactive measures enacted by the IT department, someday somewhere there will be a window left open in the house.  The storm will wreak havoc and your response will only be as good as the solution reporting on the incident. No security appliance can stop every attack, but an incident response system with all the right traits will minimize the flood.