Incident response requires forensics and storage
- By William Jackson
- Aug 20, 2014
Dealing with insider threats, as in dealing with any threat to your network, requires a plan for incident response. An effective response includes forensics, and forensics and storage go hand in hand.
When a breach is discovered investigators need data to determine what happened, when it happened and how it happened, said Claire Giordano, senior director of emerging storage markets at Quantum Corp. There’s no option of going back in time to gather the data after the fact.
With the window of time between a compromise and its discovery widening, the amount of storage needed to accommodate this data is becoming greater.
“It’s not unusual for our customers to store petabytes,” Giordano said. “They are making decisions about the trade-off between risk and costs,” and the decisions now are tipping in favor of security even when it means paying for more storage.
According to the latest Verizon Data Breach Investigation Report, 85 percent of breaches investigated over the last 10 years were accomplished in a few days or less, while their discovery often took months. In cases of insider misuse, 22 percent of incidents took weeks to discover, 11 percent took months and 2 percent took a year or more.
That adds up to a lot of data that must be combed through to discover what happened. A single 10-gigabit bidirectional link can generate up to 200 terabytes of data a day.
There are compromises that can be made to help reduce the cost of storing all of this data for forensics investigation. Storage technologies that are fast, such as flash and traditional high-performance spinning disks, also tend to be the most expensive. Less speedy options, such as object-based storage and tape, are more affordable. One size does not fit all, and Giordano recommends a tiered storage plan that takes advantage of different technologies according to needs.
During an investigation, data should be accessible with a minimum of latency, which favors the use of faster, more expensive systems. But long-term storage of data that is not being actively used can be done with less expensive systems. The data still is there; when and if it is needed, it can be moved to a faster system for use by forensic tools.
Forensics will not prevent a breach. A determined insider is particularly difficult to protect against. But timely and effective response can help to mitigate the impact of a compromise, and knowing how it happened can help defend against it in the future.
William Jackson is freelance writer and the author of the CyberEye blog.