About a decade ago I was fortunate enough to take a course at SANS on using Snort and tcpdump, taught by Stephen Northcutt, Judy Novak, and Marty Roesch. It was hands-down one of the best courses of any kind that I have ever taken and I’d recommend it for anyone remotely interested in network security. (Note to Stephen: It really works. I did actually jump up and down in my hotel room while reciting the tcp flags, and just like you said, I have never forgotten them).
I was reminded of my experience at SANS when I read the Forbes article by Richard Stiennon about the criticality of packet capture (Is Packet Capture Critical? Heck Yes.) Richard discusses how in the aftermath of the RSA breach, with an audit trail of network activity (and the attackers’ encryption keys), “They were able to de-crypt the network traffic they had recorded, leading to sure knowledge of the severity of the breach.”
Unfortunately, not all organizations have adopted fundamental auditing controls for critical infrastructure—network, file systems, email, etc. As an example, in our recent survey on the state of data protection, less than 20% of organizations claimed to monitor all access to critical collaboration infrastructure (File shares and SharePoint). Auditing activity (network and otherwise) represents an enormous opportunity for organizations to not only improve their response to a breach, but to better prevent them (or stop them in action) through automated analysis.
Being without an audit trail is like flying blind. Once I had learned to read and interpret network traffic, I never wanted to be without good auditing again. Not only is auditing an imperative for security, it is a pre-requisite for better management. For example, packet capture is critical for debugging or figuring out what the heck is eating up your bandwidth. On the data side, an audit trial helps figure out what data is active or stale, who (if anyone) is using it, and who it may belong to.
In IT and security, we will always have days where we ask, “What happened?” An audit trail and people that know how to read them are our only hope in being able to know what happened, and our only hope in learning how to prevent it from happening again.
Image credit public domain.