Security Incident! Revealing Every Nefarious Network Event and Rising to the Challenge of Compliance
By: Stephen Condon
December 4, 2023
It's an opportune moment to reflect on the dynamic landscape of cybersecurity and the critical role of being able to scrutinize network traffic. In an era where data breaches and cyber threats are on the rise, organizations must not only bolster their defenses but also stay abreast of evolving regulatory requirements. This blog post delves into the importance of analyzing network traffic and explores recent cybersecurity regulations introduced by the European Union and the United States government. Before we get started, a couple of statistics from IBM that highlight the increasing importance and potential positive ROI from having a robust cyber defense strategy:
USD 4.45 million - The global average data breach cost in 2023 was USD 4.45 million, a 15% increase over 3 years.
USD 1.76 million - The average savings for organizations that use security AI and automation extensively is USD 1.76 million compared to organizations that don’t.E
European Union's Tightened Cybersecurity Requirements
In response to escalating cyber threats to critical infrastructure and services, the European Union (EU) has recently tightened its cybersecurity requirements by publishing the NIS2 directive. The updated directive, estimated to apply to 160,000 companies that provide essential services within EU countries, aims to strengthen the security and resilience of network and information systems. For example, Article 23 states that: “Within 72 hours of the incident, organizations must submit an initial assessment of the incident, including severity, impact, and indicators of compromise.”
United States Government Reporting Requirements
With similar goals, the United States government has introduced updated reporting requirements around IT security incidents. The Securities and Exchange Commission (SEC) issued final cybersecurity disclosure rules in July, requiring publicly traded companies to submit a:
“Form 8-K [within 4 days of] any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.”
Ask your CISO or your security team how long it would take them to determine all systems impacted by a cybersecurity incident, and you will find that 72 or 96 hours is an extremely limited time to come up with these crucial answers. There are many examples of security teams being woefully unprepared to assess the impact of an incident correctly. The latest that comes to mind is Okta disclosing in early November (after 35 days of investigation) that less than 1% of customer accounts had been affected by a breach, only to correct that message 61 days after the incident that the breach actually affected 100% of their customers. For anyone curious, this is the Form 8-K report Okta filed with the SEC. This is a security company taking not 3 or 4, but 61 days to assess the impact of a security incident. This begs the question: How long would this take you? Where would you start? What’s the first tool you would open to begin assessing impact?
Scrutinizing Network Traffic for Security Incidents
In the vast majority of security incidents, the network was used to gain access and to exfiltrate any sensitive data. So any metadata about network traffic (network flow data) is the obvious first place to start your assessment of a past incident or to observe an attack as it happens. Network traffic serves as the lifeblood of any organization's digital infrastructure. By scrutinizing network traffic details, businesses can gain invaluable insights into their IT ecosystem. This includes identifying normal behavior patterns, detecting anomalies that may indicate a security incident, and ensuring optimal performance. ElastiFlow empowers organizations to delve deep into their network data, offering visibility crucial for preemptive threat detection and efficient incident response.
Organizations need to have a strong understanding of their network traffic to protect themselves from cyberattacks. This includes being able to identify and investigate suspicious activity.
One of the best ways to do this is to collect and analyze network flow data. Network flow data is a record of all network traffic, including the source and destination IP addresses, ports, protocols, and bytes transferred.
By analyzing network flow data, organizations can identify anomalous activity indicative of a cyberattack or a potential nefarious actor. For example, an organization might see a sudden increase in traffic from a particular IP address, or a large number of connections to a port that is not typically used.
Security Benefits of Collecting Unsampled Flow Data
Most monitoring and observability tools do not collect unsampled network flow data. Often due to the expense of storing this data, they sample it. This means that some traffic won’t be recorded and valuable data may be discarded. This can make it difficult to interrogate the data and identify and investigate suspicious activity. Sure, sampled flow data will enable you to identify brute force attacks such as UDP Flood attacks, but more subtle external prodding or testing may be entirely skipped over.
Sampled flow data will also restrict your ability to benefit from the rich insights likely to come from applying AI tools. Exposing a rich lake of network data to AI, along with application and SecOps data, can reveal unique security insights that might be overlooked if you are only storing sampled flow data.
For these reasons, scrutinizing your network's unsampled flow data, can improve your organization's cybersecurity posture and better protect you from potential and actual cyberattacks.
How ElastiFlow Supports Compliance
ElastiFlow stands at the forefront of empowering organizations to meet and exceed cybersecurity regulations. By offering granular insights into network traffic details, ElastiFlow enables businesses to:
Detect Anomalies as they happen: Identify unusual patterns in network behavior that may indicate a security incident.
Track the path an attacker took through your network: Deep network explorability to perform network forensics and quickly assess the impact of a breach.
Expedite Incident Response: Facilitate swift response to security incidents by offering real-time visibility into network activity.
ElastiFlow is committed to arming organizations with the network traffic insights needed to navigate the complex cybersecurity landscape. Scrutinizing network traffic details isn't just a best practice; it's crucial to compliance with evolving regulations. Scrutinizing your network's unsampled flow data is an essential part of any cybersecurity strategy. By doing so, you can improve your organization's ability to identify and investigate suspicious activity, and better protect yourself from cyberattacks.
Whether adhering to the EU's tightened cybersecurity requirements or meeting the reporting obligations set by the SEC, ElastiFlow stands as an indispensable ally in fortifying your organization's cybersecurity posture. Here's to a year of empowering businesses to safeguard their digital frontiers with unparalleled network visibility!
As well as offering a free version, ElastiFlow also provides a 30-day free trial of our complete offering. You can get a free license here. Thanks for reading!